ASA AnyConnect Licensing

Published on
23,993 Points
5 Endorsements
Last Modified:
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes.

"site-to-site" VPNs
The first are the "site-to-site" VPNs that come with all ASAs.  For the 5505, this is 10 for the base OS and 25 for the Security Plus OS.  5510s are 250, 5520s are 750, etc...  These licenses are not AnyConnect licenses.  They are restricted to IPSec only and client-wise are only compatible with the Cisco VPN Client.  

This Cisco VPN Client is the old platform from the PIX/VPN Concentrator days, so they worked for my migration.  However, a Cisco SE informed me that the Cisco VPN Client platform is EOL'd and when a hotfix/service pack is released that breaks the client, it will not be fixed.

AnyConnect Premium
At this point I started looking into the new AnyConnect platform for my user/client-based VPNs.  AnyConnect comes in two flavors.  One is AnyConnect Premium.  All ASAs comes with 2 licenses of AnyConnect Premium.  These licenses are unrestricted and allow for client-based and client-less VPNs along with some advanced security features like Endpoint Assessments and Remote Host Scans.  The AnyConnect Premium scheme is tiered.  So the licensing starts at the 2 the ASA comes with.  You can then upgrade to 10, 25, 50, 100, 250, etc... until you reach the box max.

AnyConnect Essentials
The other option in the AnyConnect world is AnyConnect Essentials.  The Essentials license is restricted to client-based only VPNs and is a direct replacement for the old Cisco VPN Client.  You cannot do anything with this license other than the IPSec or SSL based VPN connections, limited to fat-client-based VPNs.  No clientless, no advanced security features.  These Essentials licenses are platform licenses, so purchase qty 1 of the Essentials license for a 5505 would give you the box max for concurrent AnyConnect VPNs (which is 25 on a 5505).  Qty 1 of the Essentials license on a 5510 would give you 250 concurrent client-based AnyConnect VPNs, 750 on a 5520, etc....

The OS of the ASA has a software switch in the VPN config that only allows for the ASA to be in one scheme or the other at any one time so you cannot have both and Essentials and Premium license active at the same time.

I would also like to point out that with AnyConnect, you cannot connect iPads/iPhones/etc... out of the box.  All ASAs, by default, will reject a VPN request from a mobile device.  To change this, I needed to install qty 1 of the AnyConnect Mobile license.  This then allowed the VPN requests from the mobile devices to be accepted and it then pulled a VPN license from my AnyConnect license pool (either Essentials or Premium, whichever is active).  

Some of the wording in the Cisco documentation led me to believe I needed one mobile license for each mobile device, but that is NOT the case.  The mobile license is not a VPN license, it is just to allow the ASA to accept VPN requests from mobile devices.  The VPN licenses for the mobile devices were then pulled from my normal AnyConnect licensing pool (as I stated above).
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free