Hello everyone!
Two of my users just reported they get the following error message when using AnyConnect and connecting using the default appliance hostname as we have done for over a year now without issues. What could create this? Meraki cloud issue and/or certificate issue on Meraki's side?
Running MX 16.16 on MX250.
Solved! Go to solution.
Some things you could try:
After doing the above, wait 10 minutes. If the issue is still happening open a support case and get them to trigger a certificate renewal.
Click on Change settings on Anyconnect to allow untrusted server.
I apologize, I should have mentioned we did this already. I'm more worried about certificate and/or DNS issues. We use SAML as well for AnyConnect authentication.
I'm pretty sure if you disable it the message will no longer show up. Try with just the IP address.
Thank you for the tip! Meraki Certificate for that appliance is expired so it won't work, even if I use the IP. I suspect SAML authentication and possibly other things break at that point.
Some things you could try:
After doing the above, wait 10 minutes. If the issue is still happening open a support case and get them to trigger a certificate renewal.
Thank you Phil! I created a case by calling them. Was an hour on the phone and agent was trying to figure out if certificate was expired. He also escalated the issue internally. He asked me to upgrade tonight to latest firmware to force the certificate recreation.
I also used my AnyConnect android app to clearly show me the details on when the certificate expired (last night) and was not automatically renewed. I asked them via email to see if they can generate a new/valid certificate before tonight, I cannot work on that MX until late tonight or users will come out with pitchforks and torches.
Thank you Philip! I turned off AnyConnect then waited 30min or so (busy with something else) then turned it back on. Fixed it.
I rebooted the MX first with 16.16 firmware. Didn't fix it (certificate was still expired). I did not upgrade firmware to latest either. I also asked if support could manually renew certificate and they said no (or didn't want to).
Support can trigger a certificate renewal - but it is a rare thing to do, so they probably just hadn't done it before.