cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configure AnyConnect on a VMX in Azure

PhilipDAth
Kind of a big deal
Kind of a big deal
‎03-07-2022 04:21 PM
‎03-07-2022 04:21 PM

Configure AnyConnect on a VMX in Azure

I'm trying to configure AnyConnect on a VMX in Azure.  I am very familiar with the process of configuring AnyConnect, and have done so many times on VMX in AWS.

 

The problem I am having in Azure is how to tell Azure to allow tcp/443 into the VMX.  A packet capture tells me no traffic I generate makes it to the VMX.  The resource group that gets created when you deploy the VMX is locked by Meraki (so I can not change anything).  It doesn't have a network security group, and it does not allow me to add a network security group (to which you would normally add an inbox rule to allow tcp/443).

 

Support tells me that this is a supported configuration.

 

Has anyone managed to create this configuration?

0 Kudos
Subscribe
7 REPLIES 7
JSLanders
New here
‎10-21-2022 07:47 AM
‎10-21-2022 07:47 AM

Did you ever find a solution? I am experiencing a similar issue.

0 Kudos
Subscribe
ccietbd
Conversationalist
‎12-12-2022 07:56 AM
‎12-12-2022 07:56 AM

For anyone coming across this in the future, the issue is that the vMX managed app bundles everything in and doesn't let you change anything, including not allowing you to change the vNIC to use a subnet + NSG you specify.  You have to create the subnet/vnet/nsg before you deploy the app, then during deployment instead of using the wizard to create those elements, you tie the app to the subnet and vNet you already created and associated to an NSG allowing TCP+UDP 443 inbound (remember AnyConnect prefers and will work better with UDP:443 for DTLS, TLS:443 for TLS is a higher-overhead fallback).

 

I outlined the process in detail here

 

https://ccietbd.com/2022/04/20/basic-anyconnect-on-azure-hosted-meraki-vmx/

Subscribe
In response to ccietbd
tomas209ca
Getting noticed
‎12-15-2022 08:08 AM
‎12-15-2022 08:08 AM

ccietdb,

 

i have tried this on my vmx and it works for for any connect. The only thing is when i associate the NSG to the sub-net it kill everything and then i am not able to get to my server in azure. Take this NSG off and im good to go again. I also have NSG on my server also. The MX has a Standard static Wan ip and is in Zone, but Zone failover isnt used. vMX has the vNet and subnet created first before making the resource for the vMX. Thank you.

0 Kudos
Subscribe
In response to tomas209ca
ccietbd
Conversationalist
a week ago
a week ago

You will need to add rules to the NSG to allow the east/west traffic you need, when the NSG flow logs to see where its getting blocked. 

0 Kudos
Subscribe
ScholzEDV
Comes here often
a week ago
a week ago

I have exactly the same problem. I have two vMX for failover and both have no NSG after deploy. Is it not possible to configure it afterwards?

0 Kudos
Subscribe
In response to ScholzEDV
ccietbd
Conversationalist
a week ago
a week ago

You cannot add after deploying if you use all the automatically generated vNets and Subnets etc through the wizard, it locks it all down. Check my blog post where I outline it, basically create your elements all first then choose them during the wizard instead of creating new during the wizard. 

https://ccietbd.com/2022/04/20/basic-anyconnect-on-azure-hosted-meraki-vmx/

then add whatever rules you need to allow east/west traffic and anything else needed. 

Subscribe
In response to ScholzEDV
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Specifically, this happens when you choose to use availability zones during deployment.  You have to choose a zone of "none" to be able to use a NSG.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2023 Meraki