The way we work is changing, and reliable, secure remote access is more critical than ever. For years, many Meraki users relied on the default L2TP/IPsec Meraki Client VPN, but this solution often presented challenges—namely inconsistent stability across operating systems and difficulty penetrating networks that block L2TP across different carriers or geographies [Source 2 (User Pain Points), 34].
The good news is that Cisco AnyConnect (now officially known as Cisco Secure Client) is fully supported on Meraki MX appliances, providing a robust, modern alternative. AnyConnect significantly enhances the remote access experience, offering highly secure connectivity across a wide array of PC and mobile devices.
Table of Contents
- Part 1: Why Consider AnyConnect on Meraki MX?
- Part 2: Requirements and Licensing
- Part 3: Step-by-Step Configuration Guide
- Part 4: Migration from Client VPN to AnyConnect
- Part 5: Troubleshooting Common Errors
- Part 6: Product & Deployment Mapping
- Part 7: Conclusion
- Part 8: FAQ
Part 1: Why Consider AnyConnect on Meraki MX?
Switching from the legacy L2TP client to AnyConnect addresses major pain points by leveraging modern, application-based VPN protocols (TLS/DTLS).
| Feature | Meraki Client VPN (L2TP/IPsec) | Cisco AnyConnect (Secure Client) |
| Protocol | L2TP/IPsec | TLS 1.2/DTLS 1.2 (TLS 1.3 on MX 19.1+ firmware) |
| Stability/Penetration | Inconsistent; prone to blocking across regions [Source 2 (User Pain Points)] | High stability; TLS/DTLS are less likely to be blocked |
| Client | Native OS clients (Windows, macOS, etc.) | Dedicated client software (v4.8+ required) |
| Authentication | Meraki Cloud, RADIUS, AD | Meraki Cloud, RADIUS, AD, SAML, Certificate |
| Advanced Features | Limited | Always-On VPN and Start Before Logon (SBL) support via profiles |
| Management | Basic | Supports AnyConnect Profiles for streamlined user configuration (e.g., hostname aliases) |
AnyConnect utilizes TLS and DTLS for tunneling, making it a powerful choice, especially on operating systems where L2TP VPN services are no longer fully supported.
Part 2: Requirements and Licensing
To successfully implement AnyConnect, you must verify your hardware and firmware prerequisites and secure the necessary licensing.
Supported MX Models & Firmware Versions
| MX Model Series | Minimum Firmware Requirement | Max Concurrent Sessions |
| MX64(W), MX65(W) | 17.6+ | 50 |
| MX67(C,W), MX68(W,CW) | Latest MX-16+ | 100 |
| MX75, MX85, MX100 | Latest MX-16+ | 250 |
| MX95, vMX Large (L) | Latest MX-16+ | 500 |
| MX105, MX400 | Latest MX-16+ | 750 |
| MX250, MX600 | Latest MX-16+ | 1,000 / 1,500 |
| MX450 | Latest MX-16+ | 1,500 |
| Z3(C), Z4(C) | Latest MX-16+ | 5 |
Note: Models like the MX90, MX80, MX60, and Z1 are not supported. Also, AnyConnect is currently not supported on template-bound networks.
Licensing: Do I need a VPN Plus License?
Yes, for the official, generally available (GA) feature, the AnyConnect PLUS license is required. You should anticipate connecting your Meraki dashboard account to Cisco Smart Licensing to manage this feature.
Part 3: Step-by-Step Configuration Guide
AnyConnect configuration is designed to be "Meraki-easy". Here’s how you set it up:
Enable AnyConnect in Dashboard
1. Navigate to Security & SD-WAN > Configure > Client VPN > Cisco Secure Client Settings.
2. Select Enabled from the radio button.
3. Configure basic settings, including the Cisco Secure Client port (default 443), the VPN subnet (address pool for clients), DNS nameservers/suffix, and the Client routing method (full tunnel or split tunnel).
Upload or Generate Certificates
The MX AnyConnect server requires a server identity certificate for TLS negotiation. There are three options:
- Auto-generated certificate (Recommended Default): The MX uses its Dynamic DNS (DDNS) hostname to enroll in a publicly trusted certificate that renews automatically. However, the DDNS hostname is complex and difficult for users to remember.
- Custom hostname certificates: Requires MX firmware 16.16+. Allows a user-friendly name. Administrators must manually renew these certificates. Wildcard certificates are not supported.
- Self-signed certificates: Only available for testing purposes.
Recommendation: Since the automatic DDNS hostname is hard to remember, it is highly recommended to use an AnyConnect Profile to create a hostname alias for your users, regardless of the certificate option chosen.
Configure Authentication (AD/RADIUS/SAML)
AnyConnect supports multiple authentication types: Meraki Cloud, Active Directory (AD), RADIUS, SAML, and Certificate authentication.
RADIUS and MFA Integration: To integrate Multi-Factor Authentication (MFA) services, select RADIUS authentication. Specify server IP, port, and shared secret.
Troubleshooting RADIUS Timeout for MFA: Increase RADIUS timeout as default is often too short.
Authorization and Group Policies: Enforce access control using Group Policies with RADIUS Filter-ID. Ensure names match dashboard policy exactly.
Client Download & Rollout Strategy
The Meraki MX does not support web deploy or web launch.
1. Download client software from dashboard or Cisco.com.
2. Deploy via MDM or AD.
3. Use AnyConnect profiles to simplify connection and enable advanced features.
In summary, these steps ensure smooth AnyConnect deployment.
Part 4: Migration from Client VPN to AnyConnect
Migrating users from L2TP/IPsec to AnyConnect can be accomplished with minimal disruption. MX supports both simultaneously. Pilot, test, and then decommission L2TP service.
In summary, this approach ensures stable and smooth migration.
Part 5: Troubleshooting Common Errors
| Error Type | Cause | Solution |
| Login Failed / RADIUS Timeout | Default RADIUS timeout too short for MFA | Increase RADIUS timeout in Meraki dashboard |
| Certificate Chain Error | Incomplete chain | Upload full chain including intermediates |
| Profile Not Applying | Filename conflict or improper upload | Ensure unique filename; verify upload |
| SBL/SAML Conflict | Start Before Logon (SBL) used with SAML | SBL not supported with SAML |
Part 6: Product & Deployment Mapping
| Scenario/Users | Concurrent Sessions | Recommended MX Model Examples | Required License |
| Small Branch / Office | 50 | MX64/65 (requires 17.6+ firmware) | AnyConnect PLUS |
| Medium Office / HQ | 100 – 250 | MX67/68 (100), MX75/85/100 (250) | AnyConnect PLUS |
| Large HQ / Data Center | 500 – 1,000 | MX95 (500), MX250 (1,000), MX600 (1,000) | AnyConnect PLUS |
Part 7: Conclusion
Cisco AnyConnect on Meraki MX provides stability, superior user experience, and modern authentication controls including MFA support. Careful configuration of certificates, profiles, and RADIUS timeouts is required.
Action Path:
- Verify MX model and upgrade firmware.
- Procure AnyConnect PLUS license.
- Configure authentication with RADIUS/MFA.
- Deploy AnyConnect profiles for user-friendly connection.
Part 8: Frequently Asked Questions (FAQ)
Does Meraki MX support Cisco AnyConnect?
Yes. Cisco AnyConnect (Secure Client) is fully supported on most Meraki MX models running firmware 16.16+. It can run simultaneously with the legacy L2TP/IPsec client VPN.
Do I need a VPN Plus License for AnyConnect?
Yes, the AnyConnect PLUS license is required for GA feature.
How do I configure AD/RADIUS with AnyConnect?
AnyConnect supports authentication via Meraki Cloud, AD, RADIUS, SAML, and Certificate. Specify host IP, port, and shared secret when using RADIUS.
Can I use MFA (e.g., DUO / Azure AD Conditional Access)?
Yes, using RADIUS allows integration with MFA services. Increase RADIUS timeout as needed. SAML authentication is also supported.
How to migrate users from L2TP to AnyConnect with minimal disruption?
Configure AnyConnect in parallel, deploy to pilot group, then roll out broadly, ensuring RADIUS settings accommodate MFA. Decommission L2TP after migration.
Which MX model is suitable for 50 / 200 / 1000 concurrent VPN sessions?
50 Sessions: MX64/65; 250 Sessions: MX75, MX85, MX100; 1,000 Sessions: MX250, MX600
Expertise Builds Trust
20+ Years • 200+ Countries • 21500+ Customers/Projects
CCIE · JNCIE · NSE7 · ACDX · HPE Master ASE · Dell Server/AI Expert