Skip to main content

 

Cisco Meraki Documentation

AnyConnect Load Sharing

AnyConnect Load Sharing

For additional information on AnyConnect, refer to the AnyConnect configuration guide.

Load sharing is recommended when you have more users than one MX Appliance can support, in addition to providing redundancy and optimal performance. This guide describes how you can load share between MX Appliances when using Meraki facilitated auto-generated certificates or custom certificates. All topologies in this guide are based on an Active-Active design.

This table below shows the maximum number of AnyConnect VPN sessions supported per MX model.

Model MX450/250 MX600/400 MX105/95 MX85/75 MX100/84 MX68/67 MX65/64 vMX-S/M/L Z3
Max Sessions 1500/1000 1000/750 750/500 250/250 250/150 100/100 50/50 100/250/500 5

When setting up load sharing, the AnyConnect Server certificate method used is important to your design and would determine what is attainable.

Load sharing with Auto-generated certificates:  

The main benefit of using the Auto-generated is that DNS and public certificate enrollment/renewals are managed by Meraki. The limitation of this option is that you cannot fully customize your AnyConnect Server hostname. You also cannot use a load balancer in front your MX Appliance to help manage connections. This option is the default Server certificate generation method.
Screenshot of the AnyConnect Auto-Generated Certificate option

For example, the MX250 can support up to 1000 AnyConnect sessions. Let's say you need to support 1000 remote users. We recommend deploying 2 MX250s. In this scenario if you lose one MX250, you still have capacity to handle 1000 sessions before the service on the faulty MX is restored.

A network diagram depicting typical user traffic flow load-balanced between two MXs with the use of an Auto-generated certificate

Server configuration
  • The MX Appliance should be set up in Routed or VPN Concentrator mode
  • Certificate Generation method should be set to Auto-generated
Client configuration
  • AnyConnect Profile 1 with Server 1 as Primary and Server 2 as Backup for one group of users
  • AnyConnect Profile 2 with Server 2 as Primary and Server 1 as Backup for the other group of users
  • Push the different profiles to the respective groups of users
Expected behavior

All users will connect to their respective Primary Servers. When a Primary Server fails, the AnyConnect Client will automatically connect them to the Backup Server. Credentials will be required from the user to complete authentication to the Backup Server.

 

Load sharing with Custom certificates:

The main benefit of using the Custom is that you can customize your hostname e.g. xyz.com. You can also sign certificates with a alias (subject alt name) that allows you use a load balancer in front your MX to help manage connections to your AnyConnect Server. Please note that you will responsible for managing your DNS records and certificate renewals.

A screenshot selecting the Custom Server Certificate Generation Method for use with MX AnyConnect

For example, the MX450 can support up to 1500 AnyConnect sessions. Let's say you need to support 3000 remote users. We recommend deploying 3 MX450s. In this scenario if you lose one MX450, you still have capacity to handle 3000 sessions before the service on the faulty MX is restored.

A network diagram depicting typical user traffic flow load-balanced between many MXs with the use of a custom certificate

Server configuration
  • The MX Appliance should be set up in Routed or VPN Concentrator mode
  • Certificate Generation method should be set to Custom
    • Generate CSR with subject-alt-name matching hostname of the load balancer e.g vpn.abc.com
    • Common Name should be unique to the AnyConnect Server
    • Upload signed certificates 
      A screenshot of the CSR generation UI on the Cisco Meraki Dashboard
Client configuration
  • AnyConnect profile with vpn.abc.com as the Server hostname 
Expected behavior

When users attempt to connect, the DNS load balancer will return the IP address of the Server closest to the user. Connection requests will be shared across available Servers depending on how your load balancer works.

  • Was this article helpful?