Good afternoon! We have HA Meraki MX250 firewalls deployed at one of our offices. With the most recent stable firmware upgrade, Meraki enables AnyConnect on the platform, which we’ve never had access to. Before now, we’ve only ever used the built-in VPN client in Windows.
My question is: is it worth switching our staff over to AnyConnect vs. the built-in Windows VPN? I’ve searched and found some anecdotal benefits, but nothing that makes this a clear choice.
Having AnyConnect makes sense since our infrastructure is all Meraki from a unified perspective. We’ve also had a couple of remote employees who have found that bandwidth reduced significantly while connected to the current VPN. Still, we’ve been unable to identify a cause related to our VPN or network.
Who is for AnyConnect and why? We’re going to switch if there are compelling reasons to.
yes. anyconnect is the far superior product. Using the built in VPN in wwindows/mac is kludgey at best and I see all kind of weird errors from it. Anyconnect pretty much just works.
Windows vpn client is just the worst. Regular updates from Microsoft can completely break it and the only solution is often just removing the security updates.
As far as I know using anyconnect requires additional licensing but it is so much more useable and stable
Switch to anyconnect, much better than the windows built-in VPN. We use anyconnect at my job and can’t remember if I ever experienced any issues with it, also easy to setup.
The windows vpn seems to fail every time there is a version update on 10 but once you reinstall it works great again until the next version update. I have not used any connect.
I must be in the minority, but other than January’s patch debacle and the occasional whacked out hotel network, we don’t have issues with the Windows VPN. This has been over 6 years with 100+ users.
We do split tunnel, availability pre-login, and raidus auth. We install using CMAK and it just seems to work.
If you aren’t having issues with the IPSec, you won’t see any benefit with AnyConnect. It is more compatible in cases where users are behind a router that’s not allowing IPSec.
Short answer, yes. I haven’t seen Cisco’s implementation of AnyConnect on the Meraki platform, but I can say that AnyConnect is pretty much the industry standard when it comes to SSL VPN connectivity these days. With how easy Meraki gear typically is to set up, I’d imagine configuring AnyConnect on your MX firewalls won’t be too difficult. The only thing you have to keep in mind is that AnyConnect runs on a per-session license. For example you have to buy a 50 seat license for the firewalls to allow 50 users to connect simultaneously via AnyConnect. I’ve learned to always highball you licensing, too. If you expect 50 users to VPN into your network via AnyConnect, it’s probably best to buy a 75 seat license to allow for company growth (cause most companies that need AnyConnect aren’t getting any smaller).
Yes! We were the unfortunate victims of a Microsoft security patch a couple of months ago that took down our entire Client VPN. We had to roll back security for all clients utilizing the VPN until Microsoft released a fix.
MFA via duo works based on your firewall setup and has nothing to do with the client being used to connect. Utilizing duo with windows based vpn connection to mx350s right now
Mind if I ask you if you had any issues setting up DUO and AnyConnect? I’m having an awful time getting this to run. It’s been like 2 weeks. Thanks for any advice.
How do you do this? Is this setup as Radius (an internal AD Server) using the Duo AuthProxy? I’m looking for a cloud method… playing with Jumpcloud Radius, I can’t get 2FA to pop for anything at that point. I got Jumpcloud Radius working.
My biggest issue with it is the inability to use Window’s Always On VPN. Users like things to “just work”, and there is always someone who will try to access something without starting their VPN first.