ASA AnyConnect Licensing

Published:
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes.

"site-to-site" VPNs
The first are the "site-to-site" VPNs that come with all ASAs.  For the 5505, this is 10 for the base OS and 25 for the Security Plus OS.  5510s are 250, 5520s are 750, etc...  These licenses are not AnyConnect licenses.  They are restricted to IPSec only and client-wise are only compatible with the Cisco VPN Client.  

This Cisco VPN Client is the old platform from the PIX/VPN Concentrator days, so they worked for my migration.  However, a Cisco SE informed me that the Cisco VPN Client platform is EOL'd and when a hotfix/service pack is released that breaks the client, it will not be fixed.

AnyConnect Premium
At this point I started looking into the new AnyConnect platform for my user/client-based VPNs.  AnyConnect comes in two flavors.  One is AnyConnect Premium.  All ASAs comes with 2 licenses of AnyConnect Premium.  These licenses are unrestricted and allow for client-based and client-less VPNs along with some advanced security features like Endpoint Assessments and Remote Host Scans.  The AnyConnect Premium scheme is tiered.  So the licensing starts at the 2 the ASA comes with.  You can then upgrade to 10, 25, 50, 100, 250, etc... until you reach the box max.

AnyConnect Essentials
The other option in the AnyConnect world is AnyConnect Essentials.  The Essentials license is restricted to client-based only VPNs and is a direct replacement for the old Cisco VPN Client.  You cannot do anything with this license other than the IPSec or SSL based VPN connections, limited to fat-client-based VPNs.  No clientless, no advanced security features.  These Essentials licenses are platform licenses, so purchase qty 1 of the Essentials license for a 5505 would give you the box max for concurrent AnyConnect VPNs (which is 25 on a 5505).  Qty 1 of the Essentials license on a 5510 would give you 250 concurrent client-based AnyConnect VPNs, 750 on a 5520, etc....

The OS of the ASA has a software switch in the VPN config that only allows for the ASA to be in one scheme or the other at any one time so you cannot have both and Essentials and Premium license active at the same time.

I would also like to point out that with AnyConnect, you cannot connect iPads/iPhones/etc... out of the box.  All ASAs, by default, will reject a VPN request from a mobile device.  To change this, I needed to install qty 1 of the AnyConnect Mobile license.  This then allowed the VPN requests from the mobile devices to be accepted and it then pulled a VPN license from my AnyConnect license pool (either Essentials or Premium, whichever is active).  

Some of the wording in the Cisco documentation led me to believe I needed one mobile license for each mobile device, but that is NOT the case.  The mobile license is not a VPN license, it is just to allow the ASA to accept VPN requests from mobile devices.  The VPN licenses for the mobile devices were then pulled from my normal AnyConnect licensing pool (as I stated above).
5
17,245 Views

Comments (9)

Author

Commented:
@amatson78:  Yes, the 2 SSL VPN that come with the ASA are AnyConnect Premium.  If you only need two concurrent VPN sessions from mobile devices, all you have to do is purchase the AnyConnect mobile license and you're all set.  By default the ASA is going to look for the Essentials license so in the WebVPN config just type "no anyconnect-essentials" and it will change it from the essentials licensing scheme to the premium licensing scheme.

@Garry-G:  Incorrect, you AnyConnect mobile requires EITHER essential OR premium.  Also, the trial licenses are AnyConnect Premium and not just a "basic SSL connect".  
amatson78Sr. Security Engineer

Commented:
@Tomago,

Awesome that is what I expected but wanted to clarify for me and anyone else who comes across this helpful article. I am only using the ASA for a lab so the 2 license are perfect I just wanted mobile access. :) I can confirm I can access the VPN via both clientless portal and the anyconnect which confirms they should be the "Premium" license included. Kudos on the guide.

Author

Commented:
Good to hear amatson78.  If you wanted to get started now, there is a free trial of the mobile license on the Cisco site.  http://www.cisco.com/go/license   -> sign in with your CCO ID then click on "If you do not have a PAK, please click here for Demo and Evaluation licenses."
amatson78Sr. Security Engineer

Commented:
@ Tomago, Awesome thanks for the heads up, I did just that and have a 90 day trial license installed onto the ASA and just successfully connected to my lab from my iPhone. Thx again one of the best guides yet. :)
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2020

Commented:
Nice Article!
You didn't mention the changes to AnyConnect Licencing for Failover though?
Cisco AnyConnect - Essentials / Premium Licences Explained


Pete

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community