- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSO Token Failure Traffic
Noticed a weird event while going through my Event logs on one of my MX firewalls. I am getting an AnyConnect VPN authentication failure with details stating "msg: SAML: SSO token verify failure for user: " and then for the user its just random names (just one name, first letter and last name, first and last name, etc.
Tracking down the IP leads me to the same IP that I am assuming is a proxy path coming from the internet?
Has anyone else experienced this issue? I am getting over 200 failed attempts per day and am worried that I should be doing something else to prevent these from even attempting to login?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't say I've seen it on my MX, but I've seen plenty of these attacks in a general sense. Hackers find an open vpn portal and just throw stuff at it. If the IP is located in a different country, you could try blocking it via Layer 7 rules, although, I'm not sure that applies to AnyConnect.
If your MX is in concentrator mode you could try blocking upstream or if you have access to your internet router, null routing things. But there are generally limited options without more sophisticated tools.
Someone else may have seen these specific errors and may have something to add, but that's my initial thoughts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While I don't personally have experience with this event, other forums suggest:
indicates that the Single Sign-On (SSO) token presented by a user could not be successfully validated by the system, meaning the user's identity could not be confirmed and access is denied, usually due to issues like an invalid token, expired session, misconfigured settings, or a problem with the identity provider certificate used to sign the token.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes sense. The problem is, all of these failed attempts aren't my users. They are just random names. So while the function of the Meraki is failing their login attempts by design, I am concerned by how often this is happening.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If they aren't your users - block the source - and wait for someone to complain to help get a better understanding of what they are attempting to sign into. Allowing users on your network that aren't yours seems risk adverse to me but I am not familiar enough with your network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is where another piece of the puzzle gets tricky. It appears as though there is some sort of proxy path directing these and the source of the IP is the same IP as my "transit to Nexus" VLAN interface IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wishing you all the best on the resolution of the mystery and puzzle.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it coming from a single country, that you want nothing to do with?
If so, you could try creating a L7 firewall rule. Never tested if it also blocks AnyConnect, but worth a go.
You could also try a L7 firewall rule to block this one IP address.
Another thought - this might mean one of your users machines is compromised, and that a token has been stolen from it, a token that has now expired and is no longer valid.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I tried the Layer 7 firewall rule and it seems to have not worked (same errors this morning with the failed VPN logins). Reading into your second suggestion now.
