Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About mattalley
Community Record
39
Posts
12
Kudos
0
Solutions
Badges
07-26-2021
07:02 AM
1 Kudo
I ended up rolling back to 16.4, as the dashboard only presented that to me as an option. I rolled back and followed Overkill's procedure here: https://community.meraki.com/t5/Security-SD-WAN/MX-16-9-breaks-AnyConnect-certificate/m-p/123901#M30775 After that no more cert warning. I have a ticket in with support to get us up to 16.8.
... View more
07-25-2021
08:39 PM
I'll double-check tomorrow, but I'm pretty sure that same bullet point is in the 16.10 release notes.
... View more
07-25-2021
10:39 AM
Seems like there was another post about this: https://community.meraki.com/t5/Security-SD-WAN/MX-16-9-breaks-AnyConnect-certificate/m-p/123901#M30775 "I rolled-back the firmware upgrade on one of them about 10 minutes ago and it is still throwing the self-signed certificate error unfortunately, which means that once you perform the upgrade, you cannot un-break it. So, it seems the "solution" to this is to roll-back the firmware, then rename the device, wait until that takes (you can check by hitting the hostname with a browser until the new one works and it shows a valid SSL certificate that isn't self-signed) then changing it back to the previous hostname, which will then get another valid certificate. At this point, 16.9 breaks AnyConnect." What the heck Meraki!?
... View more
07-25-2021
10:25 AM
I agree with that. But I when I look at the firmware upgrade it says I came from 16.4. And to be honest I don't remember if that was what I was on. I am not seeing an option to rollback to 16.8. Do you think I should still roll back?
... View more
07-25-2021
09:12 AM
My MX84 upgraded firmware yesterday to 16.9. We are now getting "Untrusted Server Blocked!" warning in AnyConnect. I see that the certificate warning says "Certificate does not match the server name". I have my AnyConnect profile set to allow users to uncheck the "Block connections to untrusted servers", but this is not an ideal experience. Unfortunately I found in the 16.9 release notes that this was expected! "Due to a regression, MX appliances are not able to properly utilize dashboard auto-enrolled certificates for AnyConnect VPN connections. MX appliances will default to using a self-signed certificate, which will provide users connecting to the AnyConnect VPN service with a warning message about connecting to an untrusted server." Is this expected to be resolved anytime in the near future? Should I rollback my firmware to 16.4? I don't want to rollback, but it is not ideal to have to walk our staff through changing the setting and having to choose "Connect anyway" on the certificate error popup.
... View more
05-28-2021
12:16 PM
I see what you mean. I currently only have 1 default policy in place for both Network and Roaming Computers, so there is no concern with consistency. And I have our domains set up properly I think in the Umbrella dashboard, so even when my queries are going to Umbrella instead of my DNS servers, I am still able to access internal resources while connected to the VPN. My thought was that maybe it was best practice to always use our DNS servers when they are reachable? With how I have things set up for my testing this Umbrella module, everything is working as desired. Just when I saw that queries were going to Umbrella instead of my DNS servers while connected to the VPN, instead of treating it like a "Protected Network", I thought I was doing something wrong.
... View more
05-28-2021
11:59 AM
Thank you for your response, but I already have that setting enabled. And in the documentation for this settings seems to point to why it's not auto-disabling in my case: The local DNS servers must be configured to use Umbrella as the sole DNS forwarders. This is true for me The DHCP scope must be configured to hand out the IPs of the internal DNS servers. This is true for me The local network must allow direct access to either 53 or 443 UDP with a destination of 208.67.222.222. This is true for me The workstation's egress IP must match the configured local DNS server's egress IP's registered network. This is not true for me. (At least based on how I understand it) My computer, while connected to the VPN, queries my internal DNS servers, which points to Umbrella and has the external IP of my datacenter. My local machine is using split-tunneling for the VPN, so my external IP would not match the IP of the DNS query external IP of my corporate network. I wonder if I set the VPN to tunnel 208.67.222.222 back over the VPN if that would cause this to work.
... View more
05-26-2021
08:56 AM
I am currently testing out the Umbrella module in AnyConnect and it is working well. The one thing I can't seem to get working is Trusted Network Detection. I got Trusted Network Detection working while I was in the office, so while I was in the office and not connected to the VPN, the Umbrella module was inactive. Now I am trying to make the Umbrella module inactive while connected to our Meraki split-tunnel VPN at home since all of my DNS while on the VPN goes back to my internal DNS servers anyway, but it doesn't seem to be working. While connected to the VPN, the DNS protection status still says "Protected" and Encryption as "On". I have tried various changes in the VPN profile to see what would trigger the VPN to be a Trusted Network, and still no go. Has anyone gotten the Trusted Network Detection to work properly while connected to a split-tunnel Meraki AnyConnect VPN? Thanks for any response. Matt
... View more
05-24-2021
10:06 AM
Yeah, I thought so. I built a script in our software deployment tool that checks to see if AnyConnect needs updated, and then checks to see if it is in the middle of the night. I think I'll build it out to figure out if the AnyConnect adapter is enabled instead, that way it will update for folks who are in the office, or working from home but happen to not be connected to the VPN.
... View more
05-24-2021
07:36 AM
I have not considered GPO deployment, as we have other means to deploy software. My concern was getting AnyConnect updated without interfering with an existing VPN session. Does a GPO deployment offer that?
... View more
05-21-2021
12:14 PM
Yeah I think this is something that should be considered on my end then. We really only have a couple things left on prem that we already have plans to migrate to the cloud, so the only thing left on prem would be domain authentication on the computer and DNS. In the meantime, I think I'll set up a script to update AnyConnect on computers that are running overnight 😕 Thank you!
... View more
05-21-2021
11:49 AM
We have Cisco Umbrella already, but do not use the agent. A while back I heard to avoid to the agent due to DNS resolution issues frequently happening? We currently don't use it since I have the endpoint get their DNS while on the VPN from our DNS servers, and our DNS servers are pointed to Umbrella. I am aware that they only get our Umbrella filtering while on network or connected to the VPN, but we have an antivirus product that has really good web filtering built in as well. So, my question is, is your experience with the Umbrella agent good?
... View more
05-21-2021
08:05 AM
Hey everyone, I was wondering how folks were handling updating the AnyConnect software on their endpoints? I have trained our user's to sign in to the VPN at the Windows 10 login screen. I tested updating AnyConnect using our software management tool, and it disconnects the VPN (which I wasn't surprised by). Is this all I am stuck with to update AnyConnect? Is to just push it out and maybe tell people ahead of time that their VPN sessions will disconnect and they will have to manually reconnect? I can use our software management tool to push the update a specific time of day, I was thinking maybe late in the evening to avoid interruptions? Thanks for any guidance.
... View more
01-19-2021
12:35 PM
2 Kudos
Done. That sure is a slick bottle.
... View more
01-19-2021
09:11 AM
2 Kudos
That would be nice if they rolled it in to Adv Sec license since that is what I have 🙂 I vote for that.
... View more
01-19-2021
08:40 AM
Ahh. I wasn't aware of an AnyConnect Plus license. I haven't had to buy AnyConnect licensing in a long time. So if I had approx 200 users that would use the VPN, I would be looking at the "AC-PLS-P-250-S" license? Which on CDW.com is around $3,637.49 USD. I wonder how they will apply the licensing with the MX's. Do you think it will be applied in such a way to enforce session count limits, or honor based?
... View more
01-19-2021
06:49 AM
I was wondering the same thing. Here's my research and possible guess: It looks like AnyConnect will require the "SDWAN Plus" license for the MX. I wonder if they will be hardcoding a limit of client VPN sessions based on their sizing guides? For example, I have an MX84 with the "Advanced Security" license, which as per their sizing guide can support up to 100 client VPN sessions. (Though I think it can handle more being that I am only using it as a client VPN concentrator). So I will have to buy an upgrade license to get the SDWAN Plus (1 Year SKU: LIC-MX84-SDW-1Y), which costs about $2,257 USD at CDW.com. And maybe the device will be limited to 100 client VPN sessions? (I hope not!)
... View more
05-26-2020
08:16 AM
In your statement of "all current models", does that include the MX84? Thanks
... View more
My Top Kudoed Posts
