Setting up Anyconnect Client VPN

Solved
Adrian4
Head in the Cloud

Setting up Anyconnect Client VPN

Hello,

 

I am trying to setup a very basic client VPN connection in order to test it out and see if its something my company would move to using.

But I cant get event he most basic config to work 😛

I am testing with a MX67w firmware version  MX 18.107.2

I have downloaded/installed the latest AnyConnect client from the dashboard.


In Security/SD-WAN I have gone into client VPN and enabled the AnyConnect settings.
Selected Meraki Cloud authentication
Put in a subnet I'm not using anywhere else 

I have cert authentication to disabled, although while testing a turned it on and was expecting a choice of cert methods but I only get a single option to upload a cert file (guide says here should be an auto generated option)
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#How_to_Enable_AnyConne...

using google public dns
set my user account to allow VPN access.

Saved settings.


Then I copied the hostname and pasted it into the client and clicked connect - I don't get a credentials prompt, it just gives me an error after a while saying connection attempt timed out.

I am able to ping the MX's public IP no problem.
I'm using standard 443 port.
There isn't any firewall or other device between the ISP router and the MX.


Dunno what else to try.

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Bingo, then it won't work, you need a public IP configured directly on the WAN interface, an IP with NAT won't work anyway. That's what we're trying to explain to you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

20 Replies 20
alemabrahao
Kind of a big deal
Kind of a big deal

Are you testing in the same location where MX is installed? If so, it won't work, you need to be on another network, you can route your mobile device's WiFi to test.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

im on a separate network

alemabrahao
Kind of a big deal
Kind of a big deal

Is the IP that the ISP delivers using CGNAT? I've seen problems when using CGNAT. Setting up Anyconnect itself is simple.
 
You can also try disabling Windows Firewall or your antivirus.
 
One more question, have you checked that any connection attempts are coming to the MX? You can check the logs or perform a Packet Capture on the WAN interface.
 
If nothing is arriving, it's not a problem in MX.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

One more thing, do you have any NAT or port forwarding for port 443 configured on the MX?
 
If this is the case, it will also be a problem, so you must specify another port for Anyconnect.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

no, no forwarding etc.

I can ping the hostname and see it get all the way to the mx ok. I made sure antivirus isn't blocking anything. I ran a packet capture on the mx during a connection attempt but couldn't see any relevant traffic - but then i couldn't see any traffic to my laptop during a successful ping test either.

The MX does have an inbound firewall enabled surprisingly with a block all rule. I didnt thin this would be blocking it but I added a allow all rule all the same and it still didn't help so i removed it again.


alemabrahao
Kind of a big deal
Kind of a big deal

Being able to ping  is not a valid test for me. I sent you a troubleshooting guide. But this seems to be a problem with your notebook or local network, nothing related to the MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

I dont see anything in the log after i enabled the anyconnect server - i assume that means nothing is reaching the mx? I have no filters set so should be seeing everything

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, apparently there are no requests arriving at the MX, have you tried a packet capture? Any chance your Windows firewall or antivirus is blocking the connection attempt?

 

Check the troubleshooting guide.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Troubleshoo...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Does the MX definitely have the public IP address on its WAN port?

Adrian4
Head in the Cloud

in the appliance status page I can see WAN2 has the ip next to it with a green active sign.
If i go to uplink config the public ip is there again with a different DNS name than the VPN one.

Just to see if there was anything on my company laptop that cold be interfering, I grabbed a spare laptop, formatted it - connected to a guest wifi and tried again with nothing installed on the laptop except the VPN client. - I get the exact same message as my company laptop - connection attempt timed out.




alemabrahao
Kind of a big deal
Kind of a big deal

If you have WAN 1 configured and it is configured as primary, the VPN client will not work on WAN2, either you use the WAN IP to connect or you change WAN2 to the primary traffic shaping configuration.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

ah interesting.

both WANs are configured as dynamic. WAN 1 is enabled but not connected.

I disabled WAN1 and tried again - same error message.

alemabrahao
Kind of a big deal
Kind of a big deal

Dynamic? So you don't have a public IP, right? You're behind a NAT, so it won't work.

 

Please provide more details of this connection if the understanding is wrong.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

Adrian4_2-1698315872624.png

 

Adrian4_1-1698315826375.png

Adrian4_3-1698315951868.png

 

Adrian4
Head in the Cloud

the MX is plugged directly into a BT router

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, but is the IP that is shown as highlighted public or private?

 

alemabrahao_0-1698319416140.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

that one is private on the internal lan

alemabrahao
Kind of a big deal
Kind of a big deal

Bingo, then it won't work, you need a public IP configured directly on the WAN interface, an IP with NAT won't work anyway. That's what we're trying to explain to you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Adrian4
Head in the Cloud

aaah I get you, cheers!

Adrian4
Head in the Cloud

one last question - does this mean that if the primary WAN link goes down, it will drop all VPN connections? 
If so, will they be able to re-connect on the secondary WAN?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels