If you're plan is to use it for client vpn... Don't. There are better solutions out there for that. Look for something that has software client support and SSL vpn tunnels. Both of which aren't supported by MX atm.
If not, consider if you need to have all clients through a single device.
Edit: Also, for those numbers, please get in contact with a Cisco partner or Meraki SE's.
This will be used as VPN Tunnel on different locations. May i ask if MX450 can be used as Active-Active to do a load balance? If not, is there any possible way to cater the 25,000 end devices having 5 devices per branch?
I notice now that it's not for client VPN but for regular site-to-site VPN between 5000 branches.
An MX450 can support up to 5000 tunnels. While not a hard limit I would stay under those numbers.
When you have two in warm spare, it's an active-passive setup. But nothing stops you from having multiple hubs. What you could do is divide those branches up into regions and have a tiered setup. Let's say you have a US East, US West, Europe and Asia hub. Each of those could be hub to 1250 branches. You can select which hub each branch uses as exit hub (you can even have multiple for redundancy). This lowers the number of tunnels needed per hub.
The hubs themselves can be in full mesh to provide connectivity between everything.
You can also use local breakout for regular internet and only use the tunnels for corporate applications. This will also lower the resource usage on the hubs.
Now there are multiple caveats when counting the number of tunnels needed. Like for example when you have multiple WAN connections, a tunnel is built over each WAN connection. I made a post about that earlier:
That's also the reason why I recommend that you get in contact with a Cisco Meraki partner or a Meraki SE for a huge project like this. They can go into the design deeper and support you in building the right setup.
Just finished talking to the Meraki guys. They gave a very nice solution for this one. The best way to do it is to have a set of One arm concentrator on the Head Office to dissiminate the VPN traffic and to cater all the 25,000 devices. Given that, We'll be having 8 one arm concentrator on the Head Office.
We're gonna be using 8x Meraki 450MX that has a Warm Spare for the VPN Concentrator on the HQ/DC. For all the branches mentioned above will be Meraki 68W. So it will be 700 concurrent VPN connections per 450MX thus, having 8x of it.