Meraki AnyConnect Redundancy Setup on two different MX

Solved
Cyrus777
Here to help

Meraki AnyConnect Redundancy Setup on two different MX

Hello Community.

 

I have AnyConnect Client VPN setup on my corporate's MX.  If we have a power/internet outage at this office all remote workers lose access to our on-perm and cloud resources. I'm trying to find out the best option to provide redundancy for this service on a different MX or (vMX on Azure) in different location so if the primary goes offline for any reason my remote employees still can connect and keep working. I see there is an option for Load sharing between MXs on Meraki documentation. Has anyone here setup such design in the past? is there any good documentation to walk you though setting up the second node without disruption on primary node service?

what are your recommendations?

Thanks!

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

In the AnyConnect profile you can specify a primary and a backup AnyConnect head end.  I've done that lots and it works great.

 

You can also specify a name like "Company" and load multiple head ends against it.

 

You can also use Optimal Gateway Selection to automatically select the closest running VPN head end to the user.

https://community.cisco.com/t5/security-knowledge-base/anyconnect-optimal-gateway-selection-operatio...

 

View solution in original post

3 Replies 3
thaack
Getting noticed

Cisco Secure Connect, Cisco's SASE solution could be a great option to ensure availability of your cloud resources without the need to come back to the on-premise MX. Or you could configure the vMX as a backup server in Anyconnect maybe? (I'm not sure if this would work)

 

 

For on-premises resources, consider utilizing a secondary WAN uplink and add another internet circuit for a redundant connection. For a loss of power consider utilizing a UPS/Generator as presumably you're on-premise infrastructure wouldn't be available as well without power. For an MX failure you could utilize an MX Warm Spare in a HA pair.

 

By understanding a bit more about your environment, I can better offer some solutions:

 

  • Are all critical applications hosted in the cloud, on premise or both?
  • Do you have a DR site with hot restore capability for on premise infrastructure?
    • Is there an MX at this location?
  • How are users connecting to cloud resources?
    • VPN into MX and using SD-WAN VPN tunnel to vMX in Azure?
Cyrus777
Here to help

I have a couple MX at my corp and they provide HA with different ISPs. 

The plan is to provide redundancy for the service at different geographical locations. 

I have on-perm and  Azure resources and using auto-vpn across the org using MX and vMX to provide access to everything evenly across the network for everyone. 

 

so here I need to implement the most reliable option based on my features to setup the second node as my client VPN server on a MX in different office or on a vMX on Azure.

PhilipDAth
Kind of a big deal
Kind of a big deal

In the AnyConnect profile you can specify a primary and a backup AnyConnect head end.  I've done that lots and it works great.

 

You can also specify a name like "Company" and load multiple head ends against it.

 

You can also use Optimal Gateway Selection to automatically select the closest running VPN head end to the user.

https://community.cisco.com/t5/security-knowledge-base/anyconnect-optimal-gateway-selection-operatio...

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels