Meraki

Community

Secure/VPN not working for SOME internet providers

PineTree
Here to help
3 hours ago
3 hours ago

Secure/VPN not working for SOME internet providers

Hi,

 

We use port 446 for our Secure Client port, SAML to Azure. It works reliably with Spectrum/Charter users, and Verizon and Firstnet cellphone hotspot users.

 

However we have some people with other local fiber internet providers who have issues connecting. It will timeout. When I have them connect to a backup site on port 443, it seems they can connect fine. Also, these people can ping our dynamic-m URL and our public IP no problem.

 

Ive gone round and round with the fiber ISP support about this and they say definitively they do not block port 446, and demonstrate they can ping our IP, as well as telnet to port 446. Only variable here seems to be the port. The only reason we dont use 443 is that Secure Client/Anyconnect did not work on AT&T hotspots for us on that port.

0 Kudos
5 Replies 5
RWelch
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

Screenshot 2025-12-30 at 11.58.26.png

Possibly related to the issues mentioned/described above?

Cisco Cloud Security Service Status 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to RWelch
PineTree
Here to help
2 hours ago
2 hours ago

No, I dont think so, ive been working on this for a few months.

0 Kudos
RWelch
Kind of a big deal
Kind of a big deal
2 hours ago
2 hours ago

What do your packet captures and client logs indicate?  I would think they would provide good insight in diagnosing handshake failures.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
PineTree
Here to help
20m ago
20m ago

So I did a few packet captures and what I noticed is that the people on the regional Fiber ISPs had packet fragmentation issues whereas people on Charter/Spectrum and Verizon/ATT did not have fragmentation issues. I tested further and manually set the MTU on the people having issues to 1390 after some ping tests and that resolved the connection issues. 

PhilipDAth
Kind of a big deal
Kind of a big deal
2 hours ago
2 hours ago

Is your MX behind a device that does NAT?

If so, are you allowing BOTH TCP and UDP 446?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.