Cisco AnyConnect does it do IPsec?

Answered Question
May 16th, 2012

Hi Guys

I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.

I have a couple of questions

1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?

2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 150

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 2

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 750

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?

Your help is much appreciated

Regards

Mohamed

I have this problem too.
0 votes
Correct Answer by vishnsha about 1 year 11 months ago

Hi Mohammed,

Yes you are right. If you requirement is to connect more clients at the same time then I would suggest you to purchase more licenses for Anyconnect and if you requirement is to connect only the anyconnect VPN client and not the clientless one then go for the Anyconnect essential license which is cheaper as compared to the premium license and will fullfill all your requirements too.

Thanks,

Vishnu Sharma

Correct Answer by vishnsha about 1 year 11 months ago

Hi Mohammad,

I will answer your questions one by one:

1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.

2. a.  SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.

   b.  Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.

   c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.

   d.  Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.

3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.

    To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.

   svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg

Let me know if this helps.

Thanks,

Vishnu Sharma

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
vishnsha Wed, 05/16/2012 - 11:41

Hi Mohammad,

I will answer your questions one by one:

1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.

2. a.  SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.

   b.  Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.

   c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.

   d.  Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.

3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.

    To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.

   svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg

Let me know if this helps.

Thanks,

Vishnu Sharma

mohamedridha Wed, 05/16/2012 - 12:02

Thank you very much for your excellent reply, just to further clarify so does this mean that under my current licensing I can only have 2 users connected using cisco anyconnect?

Sent from Cisco Technical Support iPhone App

Correct Answer
vishnsha Wed, 05/16/2012 - 12:07

Hi Mohammed,

Yes you are right. If you requirement is to connect more clients at the same time then I would suggest you to purchase more licenses for Anyconnect and if you requirement is to connect only the anyconnect VPN client and not the clientless one then go for the Anyconnect essential license which is cheaper as compared to the premium license and will fullfill all your requirements too.

Thanks,

Vishnu Sharma

pzpgd1mlf Mon, 06/04/2012 - 10:50

Sirs,

Can I say that 2 is the number of "client VPN" I have license for (actuall default here), and 750 is the number of IPSec tunnels I have license for (also default) to connect site to site peers? In other works, one is for client (users) the other is for sites (devices). Is this assumption correct?

SSL VPN Peers                  : 2

Total VPN Peers                : 750

Thank you,

Actions

Login or Register to take actions

This Discussion

Posted May 16, 2012 at 7:02 AM
Stats:
Replies:4 Avg. Rating:5
Views:13454 Votes:0
Shares:0
Categories: AnyConnect, ASA
+

Related Content

Discussions Leaderboard