Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join now- About PineTree
About PineTree
PineTree
Here to help
Member since Mar 30, 2023
2 weeks ago
Community Record
12
Posts
7
Kudos
0
Solutions
Badges
2 weeks ago
4 Kudos
So I did a few packet captures and what I noticed is that the people on the regional Fiber ISPs had packet fragmentation issues whereas people on Charter/Spectrum and Verizon/ATT did not have fragmentation issues. I tested further and manually set the MTU on the people having issues to 1390 after some ping tests and that resolved the connection issues.
... View more
2 weeks ago
Connections are reaching the MX and showing fragmentation on the WAN packet capture. I just dont understand why packets might fragment and fail to connect Secure Client on port 446 but not 443 or why this might prevent connecting from a regional ISP when a national ISP like Verizon would not have an issue. 18:38:13.085276 IP (tos 0x0, ttl 64, id 42445, offset 0, flags [+], proto TCP (6), length 1428) xx.xx.xxx.xx.446 > xx.xxx.xxx.xxx.18019: Flags [.], seq 2309454382:2309455770, ack 601705921, win 251, length 1388 18:38:13.085276 IP (tos 0x0, ttl 64, id 42445, offset 1408, flags [none], proto TCP (6), length 92) xx.xx.xxx.xx > xx.xxx.xxx.xxx: ip-proto-6 18:38:17.005254 IP (tos 0x0, ttl 64, id 42446, offset 0, flags [+], proto TCP (6), length 1428) xx.xx.xxx.xx.446 > xx.xxx.xxx.xxx.18019: Flags [.], seq 0:1388, ack 1, win 251, length 1388 18:38:17.005254 IP (tos 0x0, ttl 64, id 42446, offset 1408, flags [none], proto TCP (6), length 92) xx.xx.xxx.xx > xx.xxx.xxx.xxx: ip-proto-6 18:38:24.775289 IP (tos 0x0, ttl 64, id 42447, offset 0, flags [+], proto TCP (6), length 1428) xx.xx.xxx.xx.446 > xx.xxx.xxx.xxx.18019: Flags [.], seq 0:1388, ack 1, win 251, length 1388 18:38:24.775289 IP (tos 0x0, ttl 64, id 42447, offset 1408, flags [none], proto TCP (6), length 92) xx.xx.xxx.xx > xx.xxx.xxx.xxx: ip-proto-6 18:38:31.165276 IP (tos 0x0, ttl 64, id 58802, offset 0, flags [+], proto TCP (6), length 1428) xx.xx.xxx.xx.446 > xx.xxx.xxx.xxx.18007: Flags [.], seq 155509429:155510817, ack 2096241983, win 251, length 1388 Im wondering if Anyconnect has separate MTU settings from the firewall. Our MTU is set to 1432 on the firewall via support. When I connect to the VPN and test with ping -f -l I get a largest success of 1362. Does it make sense then that the meraki secure client MTU should be set to 1362 + 28 = 1390
... View more
2 weeks ago
Hi, We use port 446 for our Secure Client port, SAML to Azure. It works reliably with Spectrum/Charter users, and Verizon and Firstnet cellphone hotspot users. However we have some people with other local fiber internet providers who have issues connecting. It will timeout. When I have them connect to a backup site on port 443, it seems they can connect fine. Also, these people can ping our dynamic-m URL and our public IP no problem. Ive gone round and round with the fiber ISP support about this and they say definitively they do not block port 446, and demonstrate they can ping our IP, as well as telnet to port 446. Only variable here seems to be the port. The only reason we dont use 443 is that Secure Client/Anyconnect did not work on AT&T hotspots for us on that port.
... View more
Sep 5 2024
5:27 PM
Has anyone run into this? We have any connect setup using port 443. SAML to Azure for authentication. People on Verizon, Charter, Consolidated, etc have no issues and work as expected. People using AT&T hotspot on their phone or a standalone hotspot cannot connect and get a timeout. If setup an alternate config at a different site and move the port to 444 for example, they can connect. Anything I can do to resolve this and keep port 443? Would rather not move the port on the primary site and then have to re-distribute the config to everyone
... View more
Nov 14 2023
9:20 AM
Supposedly the latest version of Secure fixes the issue but Im not quite at the point of testing that.
... View more
Nov 14 2023
9:20 AM
I havent tested it yet because Meraki never updated their repository Version # and It took me forever to get cisco to rectify my software entitlements, but I am going to be rolling out the anyconnect update over the next week then updating meraki after that, I should know full well by December sometime.
... View more
Oct 16 2023
6:01 AM
3 Kudos
Looks like this was finally fixed, my trouble ticket was closed last week. I havent tested but Secure Client 5.0.05040 was listed as resolving it. CSCwe45817 - Unencoded embedded URL in HTTP redirect prevents captive portal detection
... View more
May 9 2023
6:27 AM
Hello, I can confirm i also have another MX that historically has not had VPN turned on and it doesnt have the same anyconnect issues and is on latest firmware. I'm pretty annoyed Meraki cant figure this one out (atleast publicly) given the large amount of info I know they have on it as well as detailed logs and captures.
... View more
Mar 31 2023
5:55 AM
16.16.9 worked
... View more
Mar 30 2023
9:21 AM
In our case we are using the standard 443 setting and we are seeing it regularly across every user trying to use anyconnect for a particular site. When we switch to AD authentication for testing instead of SAML we have a 100% success rate. Based on the fact that clearing the AppData\Local\Cisco\Cisco Secure Client\EBWebView\Default fixes it every time, but only for one successful connection, I would have to assume its some sort of bug in whatever settings in that folder get created upon successful startup of the VPN. Also waiting 45 seconds on the blank screen and hitting F5 to refresh is also fixing the issue with a near 100% success rate. Maybe its a preferences/settings issue somewhere preventing it from properly resolving a hostname.
... View more
Mar 30 2023
9:08 AM
Hello Gents, Wanted to let you know we are having this exact issue with Azure SAML and have created a new case with wireshark captures, Anyconnect logs, and shipped it off to Meraki for association with the other bug reports. Happened on 17.10.2 firmware and on 18.106. Meraki is downgrading us to 16.16.9 tonight to test out whether that resolves this issue.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 4 | 465 | |
| 3 | 26942 |
© 2026 Cisco Systems, Inc.
