Meraki

Community

Setting up Anyconnect Client VPN

Solved
Adrian4
Head in the Cloud
‎Oct 25 2023 6:25 AM
‎Oct 25 2023 6:25 AM

Setting up Anyconnect Client VPN

Hello,

 

I am trying to setup a very basic client VPN connection in order to test it out and see if its something my company would move to using.

But I cant get event he most basic config to work 😛

I am testing with a MX67w firmware version  MX 18.107.2

I have downloaded/installed the latest AnyConnect client from the dashboard.


In Security/SD-WAN I have gone into client VPN and enabled the AnyConnect settings.
Selected Meraki Cloud authentication
Put in a subnet I'm not using anywhere else 

I have cert authentication to disabled, although while testing a turned it on and was expecting a choice of cert methods but I only get a single option to upload a cert file (guide says here should be an auto generated option)
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#How_to_Enable_AnyConne...

using google public dns
set my user account to allow VPN access.

Saved settings.


Then I copied the hostname and pasted it into the client and clicked connect - I don't get a credentials prompt, it just gives me an error after a while saying connection attempt timed out.

I am able to ping the MX's public IP no problem.
I'm using standard 443 port.
There isn't any firewall or other device between the ISP router and the MX.


Dunno what else to try.

0 Kudos
1 Accepted Solution
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 26 2023 5:13 AM
‎Oct 26 2023 5:13 AM

Bingo, then it won't work, you need a public IP configured directly on the WAN interface, an IP with NAT won't work anyway. That's what we're trying to explain to you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

0 Kudos
20 Replies 20
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 6:32 AM
‎Oct 25 2023 6:32 AM

Are you testing in the same location where MX is installed? If so, it won't work, you need to be on another network, you can route your mobile device's WiFi to test.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 25 2023 7:01 AM
‎Oct 25 2023 7:01 AM

im on a separate network

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 7:14 AM
‎Oct 25 2023 7:14 AM

Is the IP that the ISP delivers using CGNAT? I've seen problems when using CGNAT. Setting up Anyconnect itself is simple.
 
You can also try disabling Windows Firewall or your antivirus.
 
One more question, have you checked that any connection attempts are coming to the MX? You can check the logs or perform a Packet Capture on the WAN interface.
 
If nothing is arriving, it's not a problem in MX.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 7:18 AM
‎Oct 25 2023 7:18 AM

One more thing, do you have any NAT or port forwarding for port 443 configured on the MX?
 
If this is the case, it will also be a problem, so you must specify another port for Anyconnect.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 25 2023 8:57 AM
‎Oct 25 2023 8:57 AM

no, no forwarding etc.

I can ping the hostname and see it get all the way to the mx ok. I made sure antivirus isn't blocking anything. I ran a packet capture on the mx during a connection attempt but couldn't see any relevant traffic - but then i couldn't see any traffic to my laptop during a successful ping test either.

The MX does have an inbound firewall enabled surprisingly with a block all rule. I didnt thin this would be blocking it but I added a allow all rule all the same and it still didn't help so i removed it again.


0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 9:19 AM
‎Oct 25 2023 9:19 AM

Being able to ping  is not a valid test for me. I sent you a troubleshooting guide. But this seems to be a problem with your notebook or local network, nothing related to the MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 25 2023 8:17 AM
‎Oct 25 2023 8:17 AM

I dont see anything in the log after i enabled the anyconnect server - i assume that means nothing is reaching the mx? I have no filters set so should be seeing everything

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 8:52 AM
‎Oct 25 2023 8:52 AM

Yes, apparently there are no requests arriving at the MX, have you tried a packet capture? Any chance your Windows firewall or antivirus is blocking the connection attempt?

 

Check the troubleshooting guide.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Troubleshoo...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 25 2023 1:11 PM
‎Oct 25 2023 1:11 PM

Does the MX definitely have the public IP address on its WAN port?

0 Kudos
In response to PhilipDAth
Adrian4
Head in the Cloud
‎Oct 26 2023 1:48 AM
‎Oct 26 2023 1:48 AM

in the appliance status page I can see WAN2 has the ip next to it with a green active sign.
If i go to uplink config the public ip is there again with a different DNS name than the VPN one.

Just to see if there was anything on my company laptop that cold be interfering, I grabbed a spare laptop, formatted it - connected to a guest wifi and tried again with nothing installed on the laptop except the VPN client. - I get the exact same message as my company laptop - connection attempt timed out.




0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 26 2023 1:58 AM
‎Oct 26 2023 1:58 AM

If you have WAN 1 configured and it is configured as primary, the VPN client will not work on WAN2, either you use the WAN IP to connect or you change WAN2 to the primary traffic shaping configuration.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 26 2023 2:11 AM
‎Oct 26 2023 2:11 AM

ah interesting.

both WANs are configured as dynamic. WAN 1 is enabled but not connected.

I disabled WAN1 and tried again - same error message.

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 26 2023 3:02 AM
‎Oct 26 2023 3:02 AM

Dynamic? So you don't have a public IP, right? You're behind a NAT, so it won't work.

 

Please provide more details of this connection if the understanding is wrong.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 26 2023 3:27 AM
‎Oct 26 2023 3:27 AM

Adrian4_2-1698315872624.png

 

Adrian4_1-1698315826375.png

Adrian4_3-1698315951868.png

 

0 Kudos
In response to Adrian4
Adrian4
Head in the Cloud
‎Oct 26 2023 3:28 AM
‎Oct 26 2023 3:28 AM

the MX is plugged directly into a BT router

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 26 2023 4:23 AM
‎Oct 26 2023 4:23 AM

Yes, but is the IP that is shown as highlighted public or private?

 

alemabrahao_0-1698319416140.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 26 2023 4:56 AM
‎Oct 26 2023 4:56 AM

that one is private on the internal lan

0 Kudos
In response to Adrian4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 26 2023 5:13 AM
‎Oct 26 2023 5:13 AM

Bingo, then it won't work, you need a public IP configured directly on the WAN interface, an IP with NAT won't work anyway. That's what we're trying to explain to you.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 26 2023 5:42 AM
‎Oct 26 2023 5:42 AM

aaah I get you, cheers!

0 Kudos
In response to alemabrahao
Adrian4
Head in the Cloud
‎Oct 26 2023 8:43 AM
‎Oct 26 2023 8:43 AM

one last question - does this mean that if the primary WAN link goes down, it will drop all VPN connections? 
If so, will they be able to re-connect on the secondary WAN?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.