Why are you trying to register Azure SSO twice in the same Azure tennancy?  Why wouldn't you register it just one? ... View more

Unless you are using ISE for other things - you probably don't need it.   Most people SAML authentication directly against things like Azure AD (you can SAML authenticate against other MFA providers). https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication  ... View more

I'm using it across maybe 20 customers.  Maybe 300 sites. ... View more

There is no work around. ... View more

Wow - I'm amazed people were still deploying OM1 fibre in 2015!  OM1 came out in the 1980s.  So when you run into it - it tends to be 20 to 40 years old.  I just can't imagine putting in 30-year-old technology (which it would have been in 2015) into a new install.   I would be considering getting a 1Gbe SFP (rather than 10Gbe) to use it.  1GBE should be rock solid reliable.  I would not be so confident about 10Gbe on it. ... View more

If all (or most) other MXs in your org need to talk to things in Azure then make it a hub.   When you install it, make sure to set the zone to "none". ... View more

I don't know the answer.   NLB is a pig, and it often causes issues.  It is almost certainly related to how it is [not] responding to ARP.  I bet if you change to a different mode it will work. ... View more

You could also test turning off IPS/AMP for a little bit and seeing if that is impacting the test. ... View more

Are you currently a stable firmware release or better? ... View more

That fibre is ancient.  How long has that fibre run been in?  20 years?   I think you have probably had your money out of it, and just like you are upgrading your switches you should upgrade that fibre.  I would be looking to go to OM4. ... View more

That is painfull!  I can't think of any solution apart from splitting the network in two. ... View more

Does any MX operating in VPN concentrator mode return this field?  They don't have "WAN" ports like an MX in routed mode.  I'm not sure where you would get that info. ... View more

Thanks for all the appreciation, everyone.   I admired Todd Nightingale.  I thought he was a greater leader in this space. ... View more

I think this has something to do with the privacy DNS service.  Or something like that. ... View more

If that IP address is static you could include that in the AnyConnect encryption domain and not use full tunnel.   Use whichever approach is easier for you.  🙂 ... View more

And what are you going to do for the user when they are not connected to VPN ... not much difference really is there? ... View more

OR - don't use full tunnel.  Specify only the list of subnets required that AnyConncet users will need to access inside of your organisation. ... View more

I just smashed this together.  Copy and paste this into Powershell.  It sends a query to Microsoft for the list of IP addresses used by Microsoft Teams.  Exclude these from your full tunnel VPN.   $clientRequestId = [GUID]::NewGuid().Guid $uri = "https://endpoints.office.com/endpoints/worldwide?NoIPv6=true&clientRequestId=$clientRequestId" $endpointSets = Invoke-RestMethod -Uri ($uri) $Optimize = $endpointSets | Where-Object { $_.category -eq "Optimize" } $optimizeIpsv4 = $Optimize.ips | Where-Object { ($_).contains(".") } | Sort-Object -Unique Write-Host $optimizeIpsv4   ... View more

No one has mentioned it ... ... View more

You might be able to write a script to call get-network-clients and then filter on only VPN clients. https://developer.cisco.com/meraki/api-v1/#!get-network-clients   ... View more

Splash Access has a solution for the education sector for dorms where each dorm gets a seperate network and supports self-onboarding.  I would check this out, as it might make things much easier for you. https://www.splashaccess.com/  ... View more

What does the MX uplink statistics show? ... View more