Solved

licensing for ASA 5520 for anyconnect clients

Posted on 2010-09-12
16
2,058 Views
Last Modified: 2012-06-21
Good Morning,
      I have a question regarding purchasing SSL licenses for my ASA 5520. I would like to use the anyconnect client to connect to our corporate LAN using the ASA5520. I have set the anyconnect client configuration up and it’s working great and now I just need to know what licenses I need to purchase.

      I do not need client-less vpn connectivity. I want to have the user install the anyconnect client. We also do not utilize the Cisco Secure Desktop.

      My current configuration only has 1 ASA5510 but we may want to utilize a 2nd device for failover. Supposing I want to have 25 concurrent users what license package should I purchase for 1 device? If I want to have the 2nd device setup for failover and in the event my primary device fails and I would like to still have failover capabilities what license package should I purchase?

Any info would be helpful.
0
Comment
Question by:jbla9028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 4

Expert Comment

by:Jezbit
ID: 33656918
The ASA5520 comes with 500 licenses if the part number of the one you purchased is ASA5520-SSL500-K9. If you buy a unit, it usually comes with licenses so you should be covered for your second device.

Log onto the ASA via the CLI and type "show version" to display what you currently have available license-wize.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33656929
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.
0
 
LVL 4

Accepted Solution

by:
Jezbit earned 500 total points
ID: 33656964
The license to purchase for 25 users is ASA5500-SSL-25 and you'll need one on each device if you want failover.

The minimal concurrent package for the ASA5520 is 500 (ASA5520-SSL500-K9) which you would also need to have per device if you want failover.

It may be cheaper to look at named user options and see where your break-even point is.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 1

Author Comment

by:jbla9028
ID: 33656972
Thanks. Not sure I follow...

If I purchase just the ASA5500-SSL-25 I should be fine?

you say the minimal concurrent package for the ASA5520 is 500.. Do I need that as well?

What do you mean by named user options?

Thanks!
0
 
LVL 2

Expert Comment

by:phantom024
ID: 33656978
I believe that the SSL VPN licenses and the other VPN liceneses are separate.  If you want your users to use the VPN client software than I don't believe you need to purchase any SSL VPN licenses, From your post it looks like you should have more than enough licenses to support 25 users with the VPN client connections, but maybe I misunderstood the question.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33656987
I want to use the SSL anyconnect client. The license option listed as "Total VPN Peers     750" is for IPSec clients from what I can tell. If I install the IPSec client this will work under the 750 if I understand it correctly. The SSL licenses are listed under where it says "SSL VPN Peers         : 2"  I love the IPSec client, only problem is it take some IT intervention to setup the user. The SSL anyconnect client gets pushed to the user when they log into the SSL webpage. This is the benefit I want.
0
 
LVL 4

Expert Comment

by:Jezbit
ID: 33656994
Total VPN Peers: 750  - this equates to IPSEC VPN licenses and not Anyconnect SSL licenses, which you only have 2 of.

Named licenses are cheaper than concurrent. You said you needed 25 concurrent (i.e. 25 users connected at the same time... this means if you have 100 users and you had a 25 concurrent user license, only 25 of the 100 would ever be able to connect simultaneously. It would not matter who they were though.

Named users means you would have a list of users and they could connect, up to the number of licenses you buy.

The minimum concurrent license package for your device is 500. If you only have 100 users in total, it might be cheaper to buy a 100 user license instead of a 500 concurrent license.

Hope this explains better, otherwise let me know how many users you have and I can tell you which license would be best.
0
 
LVL 4

Expert Comment

by:Jezbit
ID: 33657001
P.S. Just read your post above...

You can set the IPSEC client up automatically with an imported profile.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33657023
hmm what a pain. Damn you cisco.  ok so how are the users controlled? I have setup my ASA using TACACS+ to authenticate to AD. If say I buy 25 licenses. and they all connect 1 time. then I have a 26th user who wants to connect.. will I have the ability to remove a license from a previous user who connected? How does the ASA remember the user that takes a license? The 500 concurrent license model is rediculously high and way out of my price range.

The IPSec client can be setup with the imported profile but then you get into the problem of users with 64 bit or 32 bit machines... I'm just trying to make this work as easy as pie for IT and for the users.

0
 
LVL 4

Expert Comment

by:Jezbit
ID: 33657024
If the vpnclient.ini file is bundled with the VPN Client software when it is first installed, it automatically configures the VPN Client during installation. You can also distribute the profile files (one .pcf file for each connection entry) as preconfigured connection profiles for automatic configuration. To distribute preconfigured copies of the VPN Client software to users for installation, complete these steps:

Copy the VPN Client software files from the distribution CD-ROM into each directory where you created an vpnclient.ini (global) file and separate connection profiles for a set of users.

Prepare and distribute the bundled software. CD-ROM or network distribution. Be sure the vpnclient.ini file and profile files are in the same directory with all the CD-ROM image files. You can have users install from this directory through a network connection; or you can copy all files to a new CD-ROM for distribution; or you can create a self-extracting ZIP file that contains all the files from this directory, and have users download it, and then install the software.

Still more effort than the Anyconnect solution, but it is an option :-)
0
 
LVL 4

Expert Comment

by:Jezbit
ID: 33657036
That's right, you'd have to delete a user to add a user. Maybe buy a 50 user license (ASA5500-SSL-50) to facilitate some growth. Still cheaper than the concurrent option...

(As far as I know you can go over the licenses but you would be in violation of the agreement)
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33657098
how would I delete a user? I'm using TACACS+ with AD. Would I just remove the user from the group under the ACServer? Just trying to gauge how difficult this would be. The IPsec client config your describing wouldn't be too bad as long as I could get the user to install the correct package based on their windows version.

0
 
LVL 4

Expert Comment

by:Jezbit
ID: 33657163
That should work fine because it would stop the user from authenticating and therefore they would no longer be using a license. It shouldn't be a problem.

The IPSEC option is a bit more pain - only an option if you want the extra work to save license costs. You would need to distribute the right installs to the users, which again is a bit of a pain. The other solution is effortless. Depending on your priorities vs budget, at least it's an option :-)
0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 33657170
Thanks this answers the question and the bottom is a good discussion regarding IPSEC vs SSL connectivity. Thanks for your help!
0
 
LVL 4

Expert Comment

by:Jezbit
ID: 33657207
Absolute pleasure!
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33661799
By the way. I did contact Cisco earlier regarding this and they replied that I should get the following license.

Thank you for contacting Cisco Worldwide Partner Helpline. My name is Sajitha Surendran and I have taken the ownership of this case.

Q) I have a question regarding purchasing SSL licenses for my ASA 5520. I would like to use the anyconnect client to connect to our corporate LAN using the ASA5520. I have set the anyconnect client configuration up and it’s working great and now I just need to know what licenses I need to purchase.

I do not need client-less vpn connectivity. I want to have the user install the anyconnect client. We also do not utilize the Cisco Secure Desktop.

A) If you donot require clientless SSL VPN and Cisco Secure Desktop capabilities you can go for AnyConnect Essentials license.

It provides Cisco AnyConnect Secure Mobility client connectivity without clientless SSL VPN and Cisco Secure Desktop capabilities and Full tunneling access to enterprise applications. The license part number is given below:

L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users) USD 250.00

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question