Anyconnect Premium License

Answered Question
May 30th, 2012

I am looking for purchasing a license for Anyconnect Premium for the ASA5510 that run IOS 8.4. I found the following but I cannot find the description for ASA-VPNP-5510=. Is that mean unlimited users?

Premium Shared VPN Server License-500 users        ASA-VPNS-500=

Premium Shared VPN Participant License-ASA 5510                ASA-VPNP-5510=

I worked on IOS 8.2, the CSD is a separatepurchase. Is Cisco Secure Desktop included in this license? If not, what will be the part number?

I have this problem too.
0 votes
Correct Answer by Marvin Rhoads about 3 years 4 months ago

Correct - you would need L-ASA-SSL-250.

Buying that will get you an activation code which, when installed on your appliance, will change

     AnyConnect Premium Peers          : 2      perpetual

To "250" (as opposed to the default 2).

Please rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
Marvin Rhoads Wed, 05/30/2012 - 13:18

The ASA-VPNS-500= and ASA-VPNP-5510= products are for a setup where you have a cluster of ASAs serving remote access browser-based (clientless) SSL VPN clients. The first item sets up your server to be able to had out licenses for 500 remote access users. The second item allows an ASA 5510 to participate in the cluster.

For more traditional remote access VPN clients (client-based SSL or IPSec VPN) you need AnyConnect (Essentials or Premium). The Premium version adds the ability to use Cisco Secure Desktop features.

Part numbers for those are:

AnyConnect Essentials:

L-ASA-AC-E-55XX= (5510 in your case)

AnyConnect Premium:

L-ASA-SSL-10, L-ASA-SSL-25, L-ASA-SSL-50, L-ASA-SSL-100, L-ASA-SSL-250, L-ASA-SSL-500, L-ASA-SSL-700, L-ASA-SSL-1000, L-ASA-SSL-2500, L-ASA-SSL-5000, or L-ASA-SSL-10K

Upgrade Part Numbers: L-ASA-SSL-10-25, L-ASA-SSL-25-50, L-ASA-SSL-50-100, L-ASA-SSL-100-250, L-ASA-SSL-100-500, L-ASA-SSL-100-750, L-ASA-SSL-100-1K, L-ASA-SSL-250-500, L-ASA-SSL-500-750, L-ASA-SSL-500-5K, L-ASA-SSL-750-1K, L-ASA-SSL-1K-2500, L-ASA-SSL-2500-5K, L-ASA-SSL-5K-10K

If you want to do Advanced Endpoint Assessment, that is an additional license - L-ASA-ADV-END-SEC - which has AnyConnect Premium as a prerequisite.

joe.ho Wed, 05/30/2012 - 13:55

Thanks for the information. I just want to double confirm. I don't want to order the wrong license. The name are too close to get confuse.

I want to get name straight because I need to get a quote for clientless and client SSL VPN.

I only have a single ASA 5510. If I want the clientless and client SSL VPN should I be listing these

AnyConnect Premium (client SSL VPN) L-ASA-SSL-250

Browser-based clientless SSL VPN     ASA-VPNS-500=

Is that all I need to get the clientless and client SSL VPN going? No additional license on top of that? Is 500 clientless SSL VPN is the minimum? Nothing less than that?

Marvin Rhoads Wed, 05/30/2012 - 14:06

AnyConnect client-based SSL VPN requires only L-ASA-AC-E-5510= for a single 5510.

Clientless (browser-based) SSL VPN requires one of the AnyConnect Premium licenses whose part numbers I listed above. They are available as the names suggest in increments of 10, 25, 50, 100 etc.

The ASA 5510 allows a maximum of 250 Anyconnect Premium clients so the 500+ licensing levels are not applicable for you.

The ASA-VPNS-500= part number is only for when you are setting up a cluster of ASAs to share licenses across multiple appliances. Typically you would only do that with larger installations thus the starting number of 500 in that scenario.

NOTE: AnyConnect Essentials and AnyConnect Premium licenses can NOT be run simultaneously on the same appliance. Once you go the Premium route you are tied to the Premium per-user licensing and the per-appliance model of Essentials is no longer an option.

joe.ho Wed, 05/30/2012 - 14:21

I understand now. I only need L-ASA-SSL-100-250 and that will give me client and clientless SSL VPN capabilites.

joe.ho Wed, 05/30/2012 - 14:25

Not to confuse people. I put the upgrade part number. I will need L-ASA-SSL-250.

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Correct Answer
Marvin Rhoads Wed, 05/30/2012 - 14:30

Correct - you would need L-ASA-SSL-250.

Buying that will get you an activation code which, when installed on your appliance, will change

     AnyConnect Premium Peers          : 2      perpetual

To "250" (as opposed to the default 2).

Please rate helpful posts.

naheedhassane Mon, 08/24/2015 - 06:29

Hi Marvin, can you explain me correctly/exactly what is the difference/definition between the AnyConnect premium peers and AnyConnect Essentials.

My ASA version is: ASA5585-SSP-40

AnyConnect premium peers: 2

AnyConnect Essentials: 1000


So i want to configure ASA to support VPN ssl connection.. and i want to know if i have the correct licenses..



Marvin Rhoads Mon, 08/24/2015 - 20:26

All ASAs include the 2 Premium peer licenses. They are mostly for evaluation and the occasional network admin remote access.

You have the purchased license for AnyConnect Essentials. You can use it for remote access SSL VPN (client-based) just fine.

Premium licenses add the capability for clientless SSL VPN (plus a few other less common features).

An ASA has to run one type or the other even if you have both licenses - when you activate the "anyconnect-esentials" command, it disables the Premium features globally on the ASA.

v-romanchuk Wed, 09/02/2015 - 09:28


I want to deploy a cluster of two Cisco ASA 5555-X. Cluster must accept up to 2500 connections for IPSec VPN, SSL VPN and Web (clientless) of VPN clients.

For the first ASA in cluster I want to purchase the following licences:
1. ASA-VPNS-2500 - Premium Shared VPN Server License - 2500 users
2. ASA-VPNP-5555  - Premium Shared VPN Participant License - ASA 5555-X

For the second ASA in cluster I want to purchase the following license:
1. ASA-VPNP-5555  - Premium Shared VPN Participant License - ASA 5555-X

Tell me, please, enough these licenses for above-mentioned requirements?

Thank you in advance for the answer.

Marvin Rhoads Wed, 09/02/2015 - 09:37

The old license types are now end of sales.

See this announcement which confirms the last possible order date for them was 31 August 2015.

Going forward you would order AnyConnect 4.x licenses - Apex type is equivalent to the old Premium licenses. You no longer need to order the VPN Shared Server and Participant license types as you are licensed per unique user and the activation-keys can be generated for multiple ASA serial numbers - whether they are in HA, cluster or totally separate modes.

So you would need 2500 Apex licenses. They are term-based so you need to decide on 1- 3- or 5-year term and order accordingly.

v-romanchuk Thu, 09/03/2015 - 03:36

Hello, Marvin!

Thanks for the link on Any Connect ordering guide. There everything is clearly described enough.

If it is possible, one more question. Here the quote from the ordering Guide:

"Apex and Plus licenses can be mixed in the same environment". 

I correctly understand that if, for example, it is necessary to provide connection to a cluster of 100 SSL VPN users and 100 Web VPN users , I have to order for the each device in cluster 100 of the licenses Any Connect Plus and 100 licenses Any Connect Apex.


Amit Mahajan Wed, 06/25/2014 - 05:36

Hello Marvin,

I have ASA5510 with v8.2 with base lic, which says " IPsec VPN Peers = 250".

Does "IPsec VPN Peers" means "both site-to-site and remote access IPSec VPN client" or does it mean only site-to-site vpn?

If I want the users to connect using Any-connect client, do i need to buy extra lic or it will be utilized from =250?

If I have two Cisco ASA 5510 in HA with Security Plus lic, and one of the ASA has L-ASA-SSL-250 lic installed in it, do i need to buy L-ASA-SSL-250 for the other fail-over device or its not required? as after fail-over primary lic will be transferred to secondary unit?

Thanks in advance,




Marvin Rhoads Wed, 06/25/2014 - 08:02


"IPsec VPN peers" means as you noted in your question. It does not include AnyConnect client-based remote access VPN (either SSL or IPsec IKEv2 mode).

In an HA pair, the L-ASA-SSL-250 license is only required on one member (as of ASA 8.3 or later).

Amit Mahajan Wed, 06/25/2014 - 23:04



Thank you for help.... few queries though,

Please find my current ASA details  in brackets:-

[System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

ASA up 53 mins 32 secs

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB]

1] I have ASA v8.2 - will i need 2nos. of L-ASA-SSL-250 in HA pair?

2]Should i upgrade my ASA from v8.2 to v8.3 and then buy 1qty. of L-ASA-SSL-250 ? What do you suggest?

3]While upgrading my ASA from v8.2 to v8.3(or later) will I need to upgrade my ASA RAM/FLASH? Kindly go though my ASA HW details above.

thanks in advance,



Marvin Rhoads Thu, 06/26/2014 - 11:54

You're welcome.

1. If you wanted to stay with 8.2 then yes you would need identical licenses purchased separately on both units.

2. I would suggest upgrading. I would skip 8.3(x) altogether. 8.4(7) or 9.0(3) are the currently recommend "most stable" releases for that platform. Reference.

3. An ASA 5510 with 1 GB of RAM can run the later versions of software (8.3 all the way through 9.1(5) - 9.2+ is not being developed for the older non-SMP hardware except the 5505). Reference.

One question - if you're adding a second 5510 is it one you have on hand already? I ask because those were end of sales since last year.

Amit Mahajan Thu, 06/26/2014 - 22:05

Hello Marvin

Yes, you are correct. We have second ASA5510 in our stock.

Thanks again for your great help.



alexdelangel Mon, 08/18/2014 - 20:25

Hello friends!

Please, allow me to resurect this old post.

Marvin, would you please explain for what the ASA-ADV-END-SEC license is used for? Also for what is the ASA5505-SEC-PL license used for?



Marvin Rhoads Thu, 08/21/2014 - 06:38


ASA-ADV-END-SEC is used to enable the Advanced Endpoint Assessment feature.  AEA allows one to inspect clients for many features and even direct them with remediation messages etc. to validate compliance with standards (OS type, patch level, antivirus status,etc.) prior to allowing network access.

SEC-PL is Security Plus and allows several things such as high availability setup etc. on an ASA-5505. The 5510 and 5512-X have an equivalent offering. All higher models have the abilities built-in to their base licenses 


This Discussion

Related Content