Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout JessIT1
JessIT1
Building a reputation
Member since Jul 27, 2022
Tuesday
Community Record
102
Posts
16
Kudos
1
Solution
Badges
Dec 4 2024
7:56 AM
2 Kudos
Update from Meraki support Your concern is valid, and the situation calls for a clear understanding of how to interpret and handle these logs. If you're seeing an "AnyConnect VPN connection established" log entry for a known malicious IP, it can indeed be alarming, even if no credentials were used or access was gained. The "connection established" log might only indicate that the malicious actor initiated a VPN handshake, not that they successfully authenticated. The actor would need valid credentials (username and password or certificate) to fully establish a session and access resources. Also some systems log the handshake as "established" regardless of authentication success. If this IP is flagged for malicious activities like HTTP scanning and SSH brute force, it suggests automated probing or attacks. The IP scanning your public-facing WAN is attempting to connect via AnyConnect but may not have succeeded beyond the initial handshake. So meaning A "connection established" log entry typically indicates that a TCP or UDP handshake occurred. This doesn't necessarily mean a user authenticated or gained access to sensitive resources—it might simply mean that a connection attempt was technically successful. False positives can occur in systems that have broad detection rules or rely on incomplete data to flag activities. For example: IDS/IPS or firewall logs might show traffic that matches suspicious patterns but isn't actually malicious. An endpoint or system might flag a benign but unusual behavior as rogue.
... View more
Dec 2 2024
1:05 PM
ok, so basically someone physically or a scanning engine/service is pegging our public facing WAN IP with port 443, some how establishes a TLSv1.2 connection with a Cipher: but never gets an internal network VPN IP that are legit users would get when connecting via their AnyConnect VPN agent by using our unique AnyConnect Server URL, authenticating with their email address and password that synchs from our AD accounts in the allowed VPN group of users and then gets the push to their DUO Mobile App to complete the connection.
... View more
Dec 2 2024
3:29 AM
Thank you for the feedback. My concern is if it’s an attacker, do these logs confirm the connection into our network was successful? We also have IDS advanced security with Meraki.
... View more
Dec 1 2024
6:36 PM
Seeing some AnyConnect VPN rogue IP’s trying to connect this evening, not sure if they are actually making a connection into our firewall..? example of log: Dec 1 20:22:05 AnyConnect VPN AnyConnect VPN connection event msg: Local-IP[OUR MX95 WAN IP] Local-Port[443] Prot[TCP] Peer-IP[71.239.88.253] Peer-Port[51727] Conn-ID[9] TLSv1.2 connection established. Cipher: ECDHE-RSA-AES256-GCM-SHA384(49200) Not seeing any actual AnyConnect VPN client connected that are suspicious, just these random TLSv1.2 attempts. We have AnyConnect VPN enabled using SAML with DUO 2-factor setup for VPN allowed users. thanks
... View more
Oct 16 2024
2:08 PM
2 Kudos
Also been dealing with these bogus usage spikes for weeks now on several of our MX's, where client traffic does not come close to what the GB usage shows in alert. Latest ticket response I recieved: Greetings, Thank you for your patience while our engineering team worked to resolve this issue. Our engineering team has advised there is a fix available for this issue on firmware 19.4.1. There will also be a fix available on 19.2 but this is still being worked on at this time and not yet available. Thank you, Meraki Technical Support
... View more
Oct 3 2024
7:21 AM
Received this feedback from support: Thank you for your response. I believe you are running into another issue which engineering is investigating for false traffic spikes to appear on the graph. This does not truly represent actual client data seen on the network. Our engineering team is tracking this and they are working on a fix. I'll make sure to update you accordingly as I get updates from engineering. Thank you, Meraki Technical Support
... View more
Oct 1 2024
1:08 PM
anyone else experiencing this, clients page sorted by usage shows clients with high down, in screenshot shows 45.66GB but if you click on the client, and sort, it does not reflect the high usage...?
... View more
Sep 29 2024
6:12 AM
I am logged into n178. All of the circle charts for each network are empty. If I click on the client now I do see some traffic, but the data usage is always way off. It can show it super high data usage for download and upload, but the traffic details for the client do not reflect it..
... View more
Sep 26 2024
3:08 PM
OK, so I’m not the only one. I have a ticket open with Meraki support. I can’t believe they don’t have anything in the Meraki Status website that mentions this..
... View more
Sep 26 2024
2:06 PM
anyone else not seeing any of their network's client traffic details showing up for applications, port, http content, etc. Traffic analytics details starting working again, but not clients, even if you click on a client, no details...
... View more
Sep 19 2024
8:24 AM
Not sure, did not check that. How do you check an MX's utilization?
... View more
Sep 19 2024
8:19 AM
Wow, 2026, might have jumped the gun then.. My thought was just since firmware updates had reached EOL that I did not want any lapse in security to be our downfall. And again, odd that after I upgraded all those rogue IP's showing allowed, now show blocked, maybe a coincidence..
... View more
Sep 19 2024
8:13 AM
MX64, MX64W, MX84 could not go past 18.200. Now using MX 67, MX67W, MX95
... View more
Sep 19 2024
8:01 AM
I also received those IP's. However I recently replaced 3 of my firewalls that could no longer could receive firmware updates, and now the Zyxel unauthenticated IKEv2 command injection attempt and Zyxel unauthenticated IKEv2 overflow attempts that have been plaguing our MX's since February now show blocked instead of allowed..so I guess getting these MX's up to the latest MX 18.211.2 version allowed the Intrusion detection and prevention to block..strange.
... View more
Sep 18 2024
6:49 AM
Our MX95 looks to be allowing VPN connections now, we were down for awhile this morning with users getting L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
... View more
Aug 27 2024
5:19 AM
yep, got those as well, added to my layer 7, layer 3 deny list, crazy.
... View more
Aug 20 2024
7:43 AM
I guess they are admitting marking a threat as allowed is Standard Operating Procedure if the threat contains packets that were dropped before they were dropped onto network LANS..again we as customers are not privy to how the back end works with Meraki IDS, we just know malicious IP's are attempting to hit our MX WAN's and their IDS is showing action as allowed, so as IT folks when do we know when it's an actual threat or a false positive..that should not be on us.
... View more
Aug 20 2024
7:21 AM
Yes, received that one as well. At this point we are over 6 months since I started this thread for these allowed attacks. There has been several explanations from Meraki support stating these attacks are not actually getting through to the LAN. I just think the allowed action is going to continue the concern for customers that have not seen this thread yet. Zyxel unauthenticated IKEv2 command injection attempt Zyxel unauthenticated IKEv2 overflow attempt
... View more
Jul 30 2024
4:40 PM
Thanks for the heads up on this one, I don’t get my alerts of what was blocked or allowed until the morning so I logged in and added this IP to my layer 3 & 7 deny rules.
... View more
Jul 26 2024
7:34 AM
I agree, wasn't until a recent response from someone in this thread that their Zyxel IP hits showed blocked as opposed to allowed like all of mine that I don't completely think these rogue IP's are truly being blocked. I just keep adding the IP's to our layer 3 & 7 rules as deny and hope for the best..too many other security vectors to focus on, Meraki needs to address this ASAP, it's out of my control as to how IDS works.
... View more
Jul 22 2024
5:50 AM
We had same IP's hit one of our MX 193.177.182.40:500 149.50.116.115:500 185.224.128.74:500
... View more
Jul 9 2024
7:01 AM
The only thing is, some customers are seeing the action on these IP’s as blocked and customers like me and quite a few others are getting an allowed action, how can that be explained?
... View more
Jul 9 2024
6:34 AM
This matches my list. Since these IP's are affecting numerous customers, is there not a way Meraki can add these IP's to their own block list, since the bad actors seem to be targeting Meraki MX devices..?
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 2170 | Dec 4 2024 7:56 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 2170 | |
| 2 | 1754 | |
| 2 | 13751 | |
| 1 | 5722 | |
| 1 | 5756 |
© 2025 Cisco Systems, Inc.
