Anyconnect Premium License

Answered Question
May 30th, 2012

I am looking for purchasing a license for Anyconnect Premium for the ASA5510 that run IOS 8.4. I found the following but I cannot find the description for ASA-VPNP-5510=. Is that mean unlimited users?

Premium Shared VPN Server License-500 users        ASA-VPNS-500=

Premium Shared VPN Participant License-ASA 5510                ASA-VPNP-5510=

I worked on IOS 8.2, the CSD is a separatepurchase. Is Cisco Secure Desktop included in this license? If not, what will be the part number?

I have this problem too.
0 votes
Correct Answer by Marvin Rhoads about 2 years 12 months ago

Correct - you would need L-ASA-SSL-250.

Buying that will get you an activation code which, when installed on your appliance, will change

     AnyConnect Premium Peers          : 2      perpetual

To "250" (as opposed to the default 2).

Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Marvin Rhoads Wed, 05/30/2012 - 13:18

The ASA-VPNS-500= and ASA-VPNP-5510= products are for a setup where you have a cluster of ASAs serving remote access browser-based (clientless) SSL VPN clients. The first item sets up your server to be able to had out licenses for 500 remote access users. The second item allows an ASA 5510 to participate in the cluster.

For more traditional remote access VPN clients (client-based SSL or IPSec VPN) you need AnyConnect (Essentials or Premium). The Premium version adds the ability to use Cisco Secure Desktop features.

Part numbers for those are:

AnyConnect Essentials:

L-ASA-AC-E-55XX= (5510 in your case)

AnyConnect Premium:

L-ASA-SSL-10, L-ASA-SSL-25, L-ASA-SSL-50, L-ASA-SSL-100, L-ASA-SSL-250, L-ASA-SSL-500, L-ASA-SSL-700, L-ASA-SSL-1000, L-ASA-SSL-2500, L-ASA-SSL-5000, or L-ASA-SSL-10K

Upgrade Part Numbers: L-ASA-SSL-10-25, L-ASA-SSL-25-50, L-ASA-SSL-50-100, L-ASA-SSL-100-250, L-ASA-SSL-100-500, L-ASA-SSL-100-750, L-ASA-SSL-100-1K, L-ASA-SSL-250-500, L-ASA-SSL-500-750, L-ASA-SSL-500-5K, L-ASA-SSL-750-1K, L-ASA-SSL-1K-2500, L-ASA-SSL-2500-5K, L-ASA-SSL-5K-10K

If you want to do Advanced Endpoint Assessment, that is an additional license - L-ASA-ADV-END-SEC - which has AnyConnect Premium as a prerequisite.

joe.ho Wed, 05/30/2012 - 13:55

Thanks for the information. I just want to double confirm. I don't want to order the wrong license. The name are too close to get confuse.

I want to get name straight because I need to get a quote for clientless and client SSL VPN.

I only have a single ASA 5510. If I want the clientless and client SSL VPN should I be listing these

AnyConnect Premium (client SSL VPN) L-ASA-SSL-250

Browser-based clientless SSL VPN     ASA-VPNS-500=

Is that all I need to get the clientless and client SSL VPN going? No additional license on top of that? Is 500 clientless SSL VPN is the minimum? Nothing less than that?

Marvin Rhoads Wed, 05/30/2012 - 14:06

AnyConnect client-based SSL VPN requires only L-ASA-AC-E-5510= for a single 5510.

Clientless (browser-based) SSL VPN requires one of the AnyConnect Premium licenses whose part numbers I listed above. They are available as the names suggest in increments of 10, 25, 50, 100 etc.

The ASA 5510 allows a maximum of 250 Anyconnect Premium clients so the 500+ licensing levels are not applicable for you.

The ASA-VPNS-500= part number is only for when you are setting up a cluster of ASAs to share licenses across multiple appliances. Typically you would only do that with larger installations thus the starting number of 500 in that scenario.

NOTE: AnyConnect Essentials and AnyConnect Premium licenses can NOT be run simultaneously on the same appliance. Once you go the Premium route you are tied to the Premium per-user licensing and the per-appliance model of Essentials is no longer an option.

joe.ho Wed, 05/30/2012 - 14:21

I understand now. I only need L-ASA-SSL-100-250 and that will give me client and clientless SSL VPN capabilites.

joe.ho Wed, 05/30/2012 - 14:25

Not to confuse people. I put the upgrade part number. I will need L-ASA-SSL-250.

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Correct Answer
Marvin Rhoads Wed, 05/30/2012 - 14:30

Correct - you would need L-ASA-SSL-250.

Buying that will get you an activation code which, when installed on your appliance, will change

     AnyConnect Premium Peers          : 2      perpetual

To "250" (as opposed to the default 2).

Please rate helpful posts.

Amit Mahajan Wed, 06/25/2014 - 05:36

Hello Marvin,

I have ASA5510 with v8.2 with base lic, which says " IPsec VPN Peers = 250".

Does "IPsec VPN Peers" means "both site-to-site and remote access IPSec VPN client" or does it mean only site-to-site vpn?

If I want the users to connect using Any-connect client, do i need to buy extra lic or it will be utilized from =250?

If I have two Cisco ASA 5510 in HA with Security Plus lic, and one of the ASA has L-ASA-SSL-250 lic installed in it, do i need to buy L-ASA-SSL-250 for the other fail-over device or its not required? as after fail-over primary lic will be transferred to secondary unit?

Thanks in advance,

acm

 

 

Marvin Rhoads Wed, 06/25/2014 - 08:02

@acm,

"IPsec VPN peers" means as you noted in your question. It does not include AnyConnect client-based remote access VPN (either SSL or IPsec IKEv2 mode).

In an HA pair, the L-ASA-SSL-250 license is only required on one member (as of ASA 8.3 or later).

Amit Mahajan Wed, 06/25/2014 - 23:04

 

@Marvin,

Thank you for help.... few queries though,

Please find my current ASA details  in brackets:-

[System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

ASA up 53 mins 32 secs

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB]

1] I have ASA v8.2 - will i need 2nos. of L-ASA-SSL-250 in HA pair?

2]Should i upgrade my ASA from v8.2 to v8.3 and then buy 1qty. of L-ASA-SSL-250 ? What do you suggest?

3]While upgrading my ASA from v8.2 to v8.3(or later) will I need to upgrade my ASA RAM/FLASH? Kindly go though my ASA HW details above.

thanks in advance,

acm

 

Marvin Rhoads Thu, 06/26/2014 - 11:54

You're welcome.

1. If you wanted to stay with 8.2 then yes you would need identical licenses purchased separately on both units.

2. I would suggest upgrading. I would skip 8.3(x) altogether. 8.4(7) or 9.0(3) are the currently recommend "most stable" releases for that platform. Reference.

3. An ASA 5510 with 1 GB of RAM can run the later versions of software (8.3 all the way through 9.1(5) - 9.2+ is not being developed for the older non-SMP hardware except the 5505). Reference.

One question - if you're adding a second 5510 is it one you have on hand already? I ask because those were end of sales since last year.

Amit Mahajan Thu, 06/26/2014 - 22:05

Hello Marvin

Yes, you are correct. We have second ASA5510 in our stock.

Thanks again for your great help.

regards,

acm

Marvin Rhoads Fri, 06/27/2014 - 07:40

You're welcome. Thanks for the ratings.

alexdelangel Mon, 08/18/2014 - 20:25

Hello friends!

Please, allow me to resurect this old post.

Marvin, would you please explain for what the ASA-ADV-END-SEC license is used for? Also for what is the ASA5505-SEC-PL license used for?

Regards!

Alex

Marvin Rhoads Thu, 08/21/2014 - 06:38

Alex,

ASA-ADV-END-SEC is used to enable the Advanced Endpoint Assessment feature.  AEA allows one to inspect clients for many features and even direct them with remediation messages etc. to validate compliance with standards (OS type, patch level, antivirus status,etc.) prior to allowing network access.

SEC-PL is Security Plus and allows several things such as high availability setup etc. on an ASA-5505. The 5510 and 5512-X have an equivalent offering. All higher models have the abilities built-in to their base licenses 

Actions

Login or Register to take actions

This Discussion

Posted May 30, 2012 at 8:03 AM
Stats:
Replies:14 Overall Rating:5
Views:16989 Votes:0
Shares:1
Categories: AnyConnect
+