Solved

licensing for ASA 5520 for anyconnect clients

Posted on 2010-09-12
16
2,032 Views
Last Modified: 2012-06-21
Good Morning,
      I have a question regarding purchasing SSL licenses for my ASA 5520. I would like to use the anyconnect client to connect to our corporate LAN using the ASA5520. I have set the anyconnect client configuration up and it’s working great and now I just need to know what licenses I need to purchase.

      I do not need client-less vpn connectivity. I want to have the user install the anyconnect client. We also do not utilize the Cisco Secure Desktop.

      My current configuration only has 1 ASA5510 but we may want to utilize a 2nd device for failover. Supposing I want to have 25 concurrent users what license package should I purchase for 1 device? If I want to have the 2nd device setup for failover and in the event my primary device fails and I would like to still have failover capabilities what license package should I purchase?

Any info would be helpful.
0
Comment
Question by:jbla9028
  • 8
  • 7
16 Comments
 
LVL 4

Expert Comment

by:Jezbit
Comment Utility
The ASA5520 comes with 500 licenses if the part number of the one you purchased is ASA5520-SSL500-K9. If you buy a unit, it usually comes with licenses so you should be covered for your second device.

Log onto the ASA via the CLI and type "show version" to display what you currently have available license-wize.
0
 
LVL 1

Author Comment

by:jbla9028
Comment Utility
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.
0
 
LVL 4

Accepted Solution

by:
Jezbit earned 500 total points
Comment Utility
The license to purchase for 25 users is ASA5500-SSL-25 and you'll need one on each device if you want failover.

The minimal concurrent package for the ASA5520 is 500 (ASA5520-SSL500-K9) which you would also need to have per device if you want failover.

It may be cheaper to look at named user options and see where your break-even point is.
0
 
LVL 1

Author Comment

by:jbla9028
Comment Utility
Thanks. Not sure I follow...

If I purchase just the ASA5500-SSL-25 I should be fine?

you say the minimal concurrent package for the ASA5520 is 500.. Do I need that as well?

What do you mean by named user options?

Thanks!
0
 
LVL 2

Expert Comment

by:phantom024
Comment Utility
I believe that the SSL VPN licenses and the other VPN liceneses are separate.  If you want your users to use the VPN client software than I don't believe you need to purchase any SSL VPN licenses, From your post it looks like you should have more than enough licenses to support 25 users with the VPN client connections, but maybe I misunderstood the question.
0
 
LVL 1

Author Comment

by:jbla9028
Comment Utility
I want to use the SSL anyconnect client. The license option listed as "Total VPN Peers     750" is for IPSec clients from what I can tell. If I install the IPSec client this will work under the 750 if I understand it correctly. The SSL licenses are listed under where it says "SSL VPN Peers         : 2"  I love the IPSec client, only problem is it take some IT intervention to setup the user. The SSL anyconnect client gets pushed to the user when they log into the SSL webpage. This is the benefit I want.
0
 
LVL 4

Expert Comment

by:Jezbit
Comment Utility
Total VPN Peers: 750  - this equates to IPSEC VPN licenses and not Anyconnect SSL licenses, which you only have 2 of.

Named licenses are cheaper than concurrent. You said you needed 25 concurrent (i.e. 25 users connected at the same time... this means if you have 100 users and you had a 25 concurrent user license, only 25 of the 100 would ever be able to connect simultaneously. It would not matter who they were though.

Named users means you would have a list of users and they could connect, up to the number of licenses you buy.

The minimum concurrent license package for your device is 500. If you only have 100 users in total, it might be cheaper to buy a 100 user license instead of a 500 concurrent license.

Hope this explains better, otherwise let me know how many users you have and I can tell you which license would be best.
0
 
LVL 4

Expert Comment

by:Jezbit
Comment Utility
P.S. Just read your post above...

You can set the IPSEC client up automatically with an imported profile.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:jbla9028
Comment Utility
hmm what a pain. Damn you cisco.  ok so how are the users controlled? I have setup my ASA using TACACS+ to authenticate to AD. If say I buy 25 licenses. and they all connect 1 time. then I have a 26th user who wants to connect.. will I have the ability to remove a license from a previous user who connected? How does the ASA remember the user that takes a license? The 500 concurrent license model is rediculously high and way out of my price range.

The IPSec client can be setup with the imported profile but then you get into the problem of users with 64 bit or 32 bit machines... I'm just trying to make this work as easy as pie for IT and for the users.

0
 
LVL 4

Expert Comment

by:Jezbit
Comment Utility
If the vpnclient.ini file is bundled with the VPN Client software when it is first installed, it automatically configures the VPN Client during installation. You can also distribute the profile files (one .pcf file for each connection entry) as preconfigured connection profiles for automatic configuration. To distribute preconfigured copies of the VPN Client software to users for installation, complete these steps:

Copy the VPN Client software files from the distribution CD-ROM into each directory where you created an vpnclient.ini (global) file and separate connection profiles for a set of users.

Prepare and distribute the bundled software. CD-ROM or network distribution. Be sure the vpnclient.ini file and profile files are in the same directory with all the CD-ROM image files. You can have users install from this directory through a network connection; or you can copy all files to a new CD-ROM for distribution; or you can create a self-extracting ZIP file that contains all the files from this directory, and have users download it, and then install the software.

Still more effort than the Anyconnect solution, but it is an option :-)
0
 
LVL 4

Expert Comment

by:Jezbit
Comment Utility
That's right, you'd have to delete a user to add a user. Maybe buy a 50 user license (ASA5500-SSL-50) to facilitate some growth. Still cheaper than the concurrent option...

(As far as I know you can go over the licenses but you would be in violation of the agreement)
0
 
LVL 1

Author Comment

by:jbla9028
Comment Utility
how would I delete a user? I'm using TACACS+ with AD. Would I just remove the user from the group under the ACServer? Just trying to gauge how difficult this would be. The IPsec client config your describing wouldn't be too bad as long as I could get the user to install the correct package based on their windows version.

0
 
LVL 4

Expert Comment

by:Jezbit
Comment Utility
That should work fine because it would stop the user from authenticating and therefore they would no longer be using a license. It shouldn't be a problem.

The IPSEC option is a bit more pain - only an option if you want the extra work to save license costs. You would need to distribute the right installs to the users, which again is a bit of a pain. The other solution is effortless. Depending on your priorities vs budget, at least it's an option :-)
0
 
LVL 1

Author Closing Comment

by:jbla9028
Comment Utility
Thanks this answers the question and the bottom is a good discussion regarding IPSEC vs SSL connectivity. Thanks for your help!
0
 
LVL 4

Expert Comment

by:Jezbit
Comment Utility
Absolute pleasure!
0
 
LVL 1

Author Comment

by:jbla9028
Comment Utility
By the way. I did contact Cisco earlier regarding this and they replied that I should get the following license.

Thank you for contacting Cisco Worldwide Partner Helpline. My name is Sajitha Surendran and I have taken the ownership of this case.

Q) I have a question regarding purchasing SSL licenses for my ASA 5520. I would like to use the anyconnect client to connect to our corporate LAN using the ASA5520. I have set the anyconnect client configuration up and it’s working great and now I just need to know what licenses I need to purchase.

I do not need client-less vpn connectivity. I want to have the user install the anyconnect client. We also do not utilize the Cisco Secure Desktop.

A) If you donot require clientless SSL VPN and Cisco Secure Desktop capabilities you can go for AnyConnect Essentials license.

It provides Cisco AnyConnect Secure Mobility client connectivity without clientless SSL VPN and Cisco Secure Desktop capabilities and Full tunneling access to enterprise applications. The license part number is given below:

L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users) USD 250.00

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now