Meraki

Community

SSO Token Failure Traffic

JNetworkMan05
Conversationalist
‎Jan 14 2025 11:03 AM
‎Jan 14 2025 11:03 AM

SSO Token Failure Traffic

Noticed a weird event while going through my Event logs on one of my MX firewalls. I am getting an AnyConnect VPN authentication failure with details stating "msg: SAML: SSO token verify failure for user: " and then for the user its just random names (just one name, first letter and last name, first and last name, etc.

 

Tracking down the IP leads me to the same IP that I am assuming is a proxy path coming from the internet?

 

Has anyone else experienced this issue? I am getting over 200 failed attempts per day and am worried that I should be doing something else to prevent these from even attempting to login?

0 Kudos
8 Replies 8
Mloraditch
Kind of a big deal
‎Jan 14 2025 11:24 AM
‎Jan 14 2025 11:24 AM

I can't say I've seen it on my MX, but I've seen plenty of these attacks in a general sense. Hackers find an open vpn portal and just throw stuff at it. If the IP is located in a different country, you could try blocking it via Layer 7 rules, although, I'm not sure that applies to AnyConnect.

If your MX is in concentrator mode you could try blocking upstream or if you have access to your internet router, null routing things. But there are generally limited options without more sophisticated tools.

Someone else may have seen these specific errors and may have something to add, but that's my initial thoughts.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RWelch
Kind of a big deal
Kind of a big deal
‎Jan 14 2025 12:12 PM
‎Jan 14 2025 12:12 PM

While I don't personally have experience with this event, other forums suggest:

indicates that the Single Sign-On (SSO) token presented by a user could not be successfully validated by the system, meaning the user's identity could not be confirmed and access is denied, usually due to issues like an invalid token, expired session, misconfigured settings, or a problem with the identity provider certificate used to sign the token.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to RWelch
JNetworkMan05
Conversationalist
‎Jan 14 2025 12:15 PM
‎Jan 14 2025 12:15 PM

This makes sense. The problem is, all of these failed attempts aren't my users. They are just random names. So while the function of the Meraki is failing their login attempts by design, I am concerned by how often this is happening.

0 Kudos
In response to JNetworkMan05
RWelch
Kind of a big deal
Kind of a big deal
‎Jan 14 2025 12:31 PM
‎Jan 14 2025 12:31 PM

If they aren't your users - block the source - and wait for someone to complain to help get a better understanding of what they are attempting to sign into.  Allowing users on your network that aren't yours seems risk adverse to me but I am not familiar enough with your network.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
JNetworkMan05
Conversationalist
‎Jan 14 2025 12:41 PM
‎Jan 14 2025 12:41 PM

This is where another piece of the puzzle gets tricky. It appears as though there is some sort of proxy path directing these and the source of the IP is the same IP as my "transit to Nexus" VLAN interface IP.

0 Kudos
In response to JNetworkMan05
RWelch
Kind of a big deal
Kind of a big deal
‎Jan 14 2025 12:46 PM
‎Jan 14 2025 12:46 PM

Wishing you all the best on the resolution of the mystery and puzzle.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 14 2025 12:53 PM
‎Jan 14 2025 12:53 PM

Is it coming from a single country, that you want nothing to do with?

 

If so, you could try creating a L7 firewall rule.  Never tested if it also blocks AnyConnect, but worth a go.

 

You could also try a L7 firewall rule to block this one IP address.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Fi...

 

 

Another thought - this might mean one of your users machines is compromised, and that a token has been stolen from it, a token that has now expired and is no longer valid.

https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/token-theft-protection-with-microsof...

In response to PhilipDAth
JNetworkMan05
Conversationalist
‎Jan 27 2025 8:53 AM
‎Jan 27 2025 8:53 AM

Hello,

 

I tried the Layer 7 firewall rule and it seems to have not worked (same errors this morning with the failed VPN logins). Reading into your second suggestion now.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.