Meraki

Community
  • About 41D5

About 41D5

Re: IPS Snort Microsoft Windows IIS denial-of-service attempt - False posit...

by in Security & SD-WAN
‎Aug 10 2022 8:29 AM
2 Kudos
‎Aug 10 2022 8:29 AM
2 Kudos
@Brandon123s  I totally agree.  The Microsoft vulnerability and IPS/SNORT post makes it sound like the issue is resolved or to call Meraki support.  It should be make clear at this time, that this is an active issue with no resolution.  The workaround is to whitelist the signature.   The advisory from Microsoft posted by @TMTECH is much closer to reality. ... View more

Re: IPS Snort Microsoft Windows IIS denial-of-service attempt - False posit...

by in Security & SD-WAN
‎Aug 10 2022 7:52 AM
2 Kudos
‎Aug 10 2022 7:52 AM
2 Kudos
To be totally honest, we just ran Windows Update and ensured all of the August 9th patches were applied.  While we thought this fixed the issue with the SNORT signature, it did not.  The client systems may appear to work for some time after the SNORT signature is enabled (Whitelist set to OFF), but the client systems will break after a reboot or after some time.   Keep Whitelist ON for now for SNORT Signature 1:60381 ... View more

Re: IPS Snort Microsoft Windows IIS denial-of-service attempt - False posit...

by in Security & SD-WAN
‎Aug 10 2022 6:44 AM
4 Kudos
‎Aug 10 2022 6:44 AM
4 Kudos
What we found:   Meraki SDWAN appliance with IPS prevention enabled. In Security Center, we see this alert:   Our resolution: Whitelist SNORT Signature 1:60381 (Click "On" to whitelist) At this point, all of your Office 365 / Internet / Outlook / MS Teams issues should be resolved.  Users should be working.  The users may need to restart apps or reboot.   Then patch all Microsoft OS's.  You can't patch until the rule is Whitelisted.   After everything is patched, enable the SNORT signature 1:60381 (Click "Off" to remove from whitelist):   This has worked for 3 organizations where we implemented this fix.     ---UPDATE--- I need to eat a nice plate of crow.  While the fix to whitelist the snort rule works 100%, applying the Windows Updates did not resolve the issue.  When we turn on the SNORT signature, it breaks most clients again.  We thought the Windows Updates fixed it, but it turned out that after some reboots and resets, the applications are still being blocked with the Whitelist disabled.  We also confirmed this in Security Center as we still see incrementing hits on the SNORT rule.   So we are leaving the Whitelist ON for now.   ... View more

Re: AnyConnect Open Beta 16.4 Broke Office365 and Other SaaS Apps

by in Security & SD-WAN
‎May 6 2021 10:20 AM
1 Kudo
‎May 6 2021 10:20 AM
1 Kudo
@akh223 ,   I could hug you!  YES!!!  Once I saw your post I knew this had to be it.  We do have a L7 FW rule for P2P traffic.  I disabled that rule and it seemed to fix the issues and the other issues haven't presented themselves.  I am 99% sure this fixed it based on testing and given a day or so with no issues I think it will be 100%.  I will also update my Meraki case to see if I can get this logged as an official bug.   THANK YOU, THANK YOU! ... View more

Re: AnyConnect Open Beta 16.4 Broke Office365 and Other SaaS Apps

by in Security & SD-WAN
‎May 6 2021 10:17 AM
1 Kudo
‎May 6 2021 10:17 AM
1 Kudo
@PhilipDAth ,   I think these suggestions are great.  We have a full tunnel solution so I added that to my original post as that is an important design consideration.  I also validated that all of our VPN solutions and internal clients are using the same DNS.     I actually never used the Office365 diagnostic tool.  It was pretty cool so thanks for the tip!   I will update this thread as we get more info and establish root cause. ... View more

AnyConnect Open Beta 16.4 Broke Office365 and Other SaaS Apps

by in Security & SD-WAN
‎May 5 2021 6:28 AM
‎May 5 2021 6:28 AM
I have several sites working in the AnyConnect closed Beta for a long time.  Probably almost a year.  I was excited to see AnyConnect move to public beta so I started scheduling 16.4 upgrades.  We didn't make any changes before or right after the 16.4 upgrades.  We did post upgrade testing and everything seemed fine.  However, after we moved one site to 16.4 users started complaining that their Outlook showed as disconnected (Using Office365 with a hybrid AD setup).       The problem manifests itself about 80% of the time.  Sometimes it works fine, but we generally don't have a problem reproducing it.   Here is our environment: 2 MX250's in HA w/Virtual IP (16.4) 2 ISP's Windows 10 laptops Office 365 Hybrid AD Setup AnyConnect Client v4.9.06037 for Windows Full Tunnel Configuration AnyConnect / Internal users / IPSEC Client VPN all use the same DNS servers   From our testing we found:   Clients connected to the AnyConnect VPN on our Meraki MS250's are getting disconnected from Office365 and other web (SaaS) applications.   If the same client connects to the IPSEC Client VPN we do not see the problem If the same client works from inside the office we do not see the problem If the same client connects to our legacy ASA5520 using the same exact AnyConnect version on the same computer we do not see the problem If the same disconnects from the VPN and uses Office 365 from their home Internet we do not see the problem   We took took the following steps and retested the scenarios above:   Disabled AMP/IDP - no change, AnyConnect still broken Removed country blocks - no change, AnyConnect still broken Permit Any on the top of the firewall rules (UGGH, but had to rule it out) - no change, AnyConnect still broken Verified no weird traffic shaping stuff - no change, AnyConnect still broken Forced all traffic to ISP1 - no change, AnyConnect still broken Forced all traffic to ISP2 - no change, AnyConnect still broken So we opened a case with Meraki support.  I received the quickest response on a case that has ever happened: "Please upgrade your MX to 16.5 and see if it fixes the issue."  Well the release notes for 16.5 weren't much help but since we were out of options we upgraded to 16.5 and...... - no change, AnyConnect still broken  😥   I want my closed Beta code back!   Anyone else experiencing an issue like this?   I am going to call support back so we can take captures and perform other science experiments while the client happily uses their legacy ASA5520 AnyConnect VPN that works fine.  Sigh....   I want my AnyConnect closed beta code back! ... View more
© 2025 Cisco Systems, Inc.