ASA AnyConnect Licensing
Published:
Browse All Articles > ASA AnyConnect Licensing
I recently updated from an old PIX platform to the new ASA platform. While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works. It turns out that the ASA has 3 different VPN licensing schemes.
"site-to-site" VPNs
The first are the "site-to-site" VPNs that come with all ASAs. For the 5505, this is 10 for the base OS and 25 for the Security Plus OS. 5510s are 250, 5520s are 750, etc... These licenses are not AnyConnect licenses. They are restricted to IPSec only and client-wise are only compatible with the Cisco VPN Client.
This Cisco VPN Client is the old platform from the PIX/VPN Concentrator days, so they worked for my migration. However, a Cisco SE informed me that the Cisco VPN Client platform is EOL'd and when a hotfix/service pack is released that breaks the client, it will not be fixed.
AnyConnect Premium
At this point I started looking into the new AnyConnect platform for my user/client-based VPNs. AnyConnect comes in two flavors. One is AnyConnect Premium. All ASAs comes with 2 licenses of AnyConnect Premium. These licenses are unrestricted and allow for client-based and client-less VPNs along with some advanced security features like Endpoint Assessments and Remote Host Scans. The AnyConnect Premium scheme is tiered. So the licensing starts at the 2 the ASA comes with. You can then upgrade to 10, 25, 50, 100, 250, etc... until you reach the box max.
AnyConnect Essentials
The other option in the AnyConnect world is AnyConnect Essentials. The Essentials license is restricted to client-based only VPNs and is a direct replacement for the old Cisco VPN Client. You cannot do anything with this license other than the IPSec or SSL based VPN connections, limited to fat-client-based VPNs. No clientless, no advanced security features. These Essentials licenses are platform licenses, so purchase qty 1 of the Essentials license for a 5505 would give you the box max for concurrent AnyConnect VPNs (which is 25 on a 5505). Qty 1 of the Essentials license on a 5510 would give you 250 concurrent client-based AnyConnect VPNs, 750 on a 5520, etc....
The OS of the ASA has a software switch in the VPN config that only allows for the ASA to be in one scheme or the other at any one time so you cannot have both and Essentials and Premium license active at the same time.
I would also like to point out that with AnyConnect, you cannot connect iPads/iPhones/etc... out of the box. All ASAs, by default, will reject a VPN request from a mobile device. To change this, I needed to install qty 1 of the AnyConnect Mobile license. This then allowed the VPN requests from the mobile devices to be accepted and it then pulled a VPN license from my AnyConnect license pool (either Essentials or Premium, whichever is active).
Some of the wording in the Cisco documentation led me to believe I needed one mobile license for each mobile device, but that is NOT the case. The mobile license is not a VPN license, it is just to allow the ASA to accept VPN requests from mobile devices. The VPN licenses for the mobile devices were then pulled from my normal AnyConnect licensing pool (as I stated above).
"site-to-site" VPNs
The first are the "site-to-site" VPNs that come with all ASAs. For the 5505, this is 10 for the base OS and 25 for the Security Plus OS. 5510s are 250, 5520s are 750, etc... These licenses are not AnyConnect licenses. They are restricted to IPSec only and client-wise are only compatible with the Cisco VPN Client.
This Cisco VPN Client is the old platform from the PIX/VPN Concentrator days, so they worked for my migration. However, a Cisco SE informed me that the Cisco VPN Client platform is EOL'd and when a hotfix/service pack is released that breaks the client, it will not be fixed.
AnyConnect Premium
At this point I started looking into the new AnyConnect platform for my user/client-based VPNs. AnyConnect comes in two flavors. One is AnyConnect Premium. All ASAs comes with 2 licenses of AnyConnect Premium. These licenses are unrestricted and allow for client-based and client-less VPNs along with some advanced security features like Endpoint Assessments and Remote Host Scans. The AnyConnect Premium scheme is tiered. So the licensing starts at the 2 the ASA comes with. You can then upgrade to 10, 25, 50, 100, 250, etc... until you reach the box max.
AnyConnect Essentials
The other option in the AnyConnect world is AnyConnect Essentials. The Essentials license is restricted to client-based only VPNs and is a direct replacement for the old Cisco VPN Client. You cannot do anything with this license other than the IPSec or SSL based VPN connections, limited to fat-client-based VPNs. No clientless, no advanced security features. These Essentials licenses are platform licenses, so purchase qty 1 of the Essentials license for a 5505 would give you the box max for concurrent AnyConnect VPNs (which is 25 on a 5505). Qty 1 of the Essentials license on a 5510 would give you 250 concurrent client-based AnyConnect VPNs, 750 on a 5520, etc....
The OS of the ASA has a software switch in the VPN config that only allows for the ASA to be in one scheme or the other at any one time so you cannot have both and Essentials and Premium license active at the same time.
I would also like to point out that with AnyConnect, you cannot connect iPads/iPhones/etc... out of the box. All ASAs, by default, will reject a VPN request from a mobile device. To change this, I needed to install qty 1 of the AnyConnect Mobile license. This then allowed the VPN requests from the mobile devices to be accepted and it then pulled a VPN license from my AnyConnect license pool (either Essentials or Premium, whichever is active).
Some of the wording in the Cisco documentation led me to believe I needed one mobile license for each mobile device, but that is NOT the case. The mobile license is not a VPN license, it is just to allow the ASA to accept VPN requests from mobile devices. The VPN licenses for the mobile devices were then pulled from my normal AnyConnect licensing pool (as I stated above).
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (9)
Author
Commented:@Garry-G: Incorrect, you AnyConnect mobile requires EITHER essential OR premium. Also, the trial licenses are AnyConnect Premium and not just a "basic SSL connect".
Commented:
Awesome that is what I expected but wanted to clarify for me and anyone else who comes across this helpful article. I am only using the ASA for a lab so the 2 license are perfect I just wanted mobile access. :) I can confirm I can access the VPN via both clientless portal and the anyconnect which confirms they should be the "Premium" license included. Kudos on the guide.
Author
Commented:Commented:
Commented:
You didn't mention the changes to AnyConnect Licencing for Failover though?
Cisco AnyConnect - Essentials / Premium Licences Explained
Pete
View More