Meraki

PineTree

Hi,

We use port 446 for our Secure Client port, SAML to Azure. It works reliably with Spectrum/Charter users, and Verizon and Firstnet cellphone hotspot users.

However we have some people with other local fiber internet providers who have issues connecting. It will timeout. When I have them connect to a backup site on port 443, it seems they can connect fine. Also, these people can ping our dynamic-m URL and our public IP no problem.

Ive gone round and round with the fiber ISP support about this and they say definitively they do not block port 446, and demonstrate they can ping our IP, as well as telnet to port 446. Only variable here seems to be the port. The only reason we dont use 443 is that Secure Client/Anyconnect did not work on AT&T hotspots for us on that port.

RWelch

Possibly related to the issues mentioned/described above?

Cisco Cloud Security Service Status

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

PineTree

No, I dont think so, ive been working on this for a few months.

RWelch

What do your packet captures and client logs indicate? I would think they would provide good insight in diagnosing handshake failures.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

PineTree

So I did a few packet captures and what I noticed is that the people on the regional Fiber ISPs had packet fragmentation issues whereas people on Charter/Spectrum and Verizon/ATT did not have fragmentation issues. I tested further and manually set the MTU on the people having issues to 1390 after some ping tests and that resolved the connection issues.

PhilipDAth

Is your MX behind a device that does NAT?

If so, are you allowing BOTH TCP and UDP 446?

Meraki

Community

Secure/VPN not working for SOME internet providers

Secure/VPN not working for SOME internet providers