AnyConnect Load Sharing
AnyConnect Load Sharing
For additional information on AnyConnect, refer to the AnyConnect configuration guide.
Load sharing is recommended when you have more users than one MX Appliance can support, in addition to providing redundancy and optimal performance. This guide describes how you can load share between MX Appliances when using Meraki facilitated auto-generated certificates or custom certificates. All topologies in this guide are based on an Active-Active design.
This table below shows the maximum number of AnyConnect VPN sessions supported per MX model.
| Model | MX450/250 | MX600/400 | MX105/95 | MX85/75 | MX100/84 | MX68/67 | MX65/64 | vMX-S/M/L | Z3 |
| Max Sessions | 1500/1000 | 1000/750 | 750/500 | 250/250 | 250/150 | 100/100 | 50/50 | 100/250/500 | 5 |
When setting up load sharing, the AnyConnect Server certificate method used is important to your design and would determine what is attainable.
Load sharing with Auto-generated certificates:
The main benefit of using the Auto-generated is that DNS and public certificate enrollment/renewals are managed by Meraki. The limitation of this option is that you cannot fully customize your AnyConnect Server hostname. You also cannot use a load balancer in front your MX Appliance to help manage connections. This option is the default Server certificate generation method.
For example, the MX250 can support up to 1000 AnyConnect sessions. Let's say you need to support 1000 remote users. We recommend deploying 2 MX250s. In this scenario if you lose one MX250, you still have capacity to handle 1000 sessions before the service on the faulty MX is restored.
Server configuration
- The MX Appliance should be set up in Routed or VPN Concentrator mode
- Certificate Generation method should be set to Auto-generated
Client configuration
- AnyConnect Profile 1 with Server 1 as Primary and Server 2 as Backup for one group of users
- AnyConnect Profile 2 with Server 2 as Primary and Server 1 as Backup for the other group of users
- Push the different profiles to the respective groups of users
Expected behavior
All users will connect to their respective Primary Servers. When a Primary Server fails, the AnyConnect Client will automatically connect them to the Backup Server. Credentials will be required from the user to complete authentication to the Backup Server.
Load sharing with Custom certificates:
The main benefit of using the Custom is that you can customize your hostname e.g. xyz.com. You can also sign certificates with a alias (subject alt name) that allows you use a load balancer in front your MX to help manage connections to your AnyConnect Server. Please note that you will responsible for managing your DNS records and certificate renewals.
For example, the MX450 can support up to 1500 AnyConnect sessions. Let's say you need to support 3000 remote users. We recommend deploying 3 MX450s. In this scenario if you lose one MX450, you still have capacity to handle 3000 sessions before the service on the faulty MX is restored.
Server configuration
- The MX Appliance should be set up in Routed or VPN Concentrator mode
- Certificate Generation method should be set to Custom
- Generate CSR with subject-alt-name matching hostname of the load balancer e.g vpn.abc.com
- Common Name should be unique to the AnyConnect Server
- Upload signed certificates
Client configuration
- AnyConnect profile with vpn.abc.com as the Server hostname
Expected behavior
When users attempt to connect, the DNS load balancer will return the IP address of the Server closest to the user. Connection requests will be shared across available Servers depending on how your load balancer works.