Showing results for 
Search instead for 
Did you mean: 

Anyconnect vpn load balancing using DNS roundrobin with SAML possible?


Hello, we have a pair of FTDs between an on-prem data center and Azure and would like to use DNS roundrobin to load balance the client vpn connections between the pair of FTDs.  The DNS name obviously would have 1 single A record pointing to 2 different FTD's outside interfaces.  The tricky part is that we use Okta for SAML authentication and the FTDs are configured to use "VPN client embedded browser."  I have spoken to Okta but they aren't clear whether this would work since I need to configure 2 different FTDs with the same DNS name in Okta's SAML config.  In that case, does Okta return responses back to the correct FTD?

Please advise, thank you

2 Replies 2


Hi @ronnie.shih,

I'm not sure would it work or not, but is worth of trying. I would advise to use recursive DNS lookup instead. Your FTD devices should have its own DNS records, e.g. and There should be 3rd DNS record -, which clients would try to reach, and which would resolve via round-robin to and

This way, each FTD device can identify itself uniquelly to Azure, and your clients would still be able to use single DNS record. Of course, your devices must have certificates for both domains - common DNS one, and local one (e.g. vpn and Also, it must accept connections on both vpn and

I never tried this, and I'm always using VPN load balancing in such case (which works in similar principle). I've configured VPN load balancing on ASA SW, and never on FTD, but I found this great guide, so you might want to try this too, and make sure you go through Configuring VPN Load Balancing config guide.

Kind regards,



Thank you for your response.  I believe I just need to try this out and see what breaks.

The last paragraph you mentioned actually refers to anyconnect VPN load balancing in the same layer 2 network, which means load balancing anyconnect connections across several FTD units in a load balancing group in networks stitched together at layer 2.  We are looking to load balance anyconnect connections between an on-prem data center and Azure, while using SAML authentication.  So this scenario does not apply to us.  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers