Totally agree with custom certificate and renewing it..... But when I enable Optimal Gateway Selection feature, there is a cache problem with that. Scenario: We have VPN A VPN B VPN C VPN D When users want to connect with AnyConnect, OGS calculate RTT by sending request to http port 443 and choose the best result. Think we have RTT VPN A 233 RTT VPN B 134 RTT VPB C 335 RTTVPN D 421 It will automatically connect the user to VPN B and cache it for some days, so next time OGS doesn't calculate again and client has to connect to previous VPN! I have users in Canada connect to VPN UK by OGS but they can manually(disable Automatic VPN) connect to Canada without any problem. It can be a request time out causing it but AnyConnect cache will continue connect users to UK for several days. So we can not use DNS load balance with dynamic certs, we cannot use AnyConnect profile with OGs enabled because of cache issue. The only solution is to purchase SSL certs for every MX and renew it every year which is expensive for us with 8 MX(main and spare).
... View more