×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Does Cisco AnyConnect enables feature of IPsec?

Document

Sun, 03/01/2015 - 21:29
Apr 28th, 2014
User Badges:
  • Silver, 250 points or more

Introduction

This document describes the problem faced by user while implementing Cisco AnyConnect.

Prerequisites

  • ASA 5520
  • IOS ver 8.2(5)
  • ASDM
  • Cisco AnyConnect client

Problem

User have a Cisco ASA5520 with Software Version 8.2(5) in place, most of the users are Mac Users and he is currently looking into Cisco AnyConnect in comparison to using VPN client.

User have couple of questions

  1. Does Cisco AnyConnect make use of IPsec or is it solely SSL VPN based?
  2. From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?

Licensed features for this platform:

  • Maximum Physical Interfaces    : Unlimited
  • Maximum VLANs                  : 150
  • Inside Hosts                   : Unlimited
  • Failover                       : Active/Active
  • VPN-DES                        : Enabled
  • VPN-3DES-AES                   : Enabled
  • Security Contexts              : 2
  • GTP/GPRS                       : Disabled
  • SSL VPN Peers                  : 2
  • Total VPN Peers                : 750
  • Shared License                 : Disabled
  • AnyConnect for Mobile          : Disabled
  • AnyConnect for Cisco VPN Phone : Disabled
  • AnyConnect Essentials          : Disabled
  • Advanced Endpoint Assessment   : Disabled
  • UC Phone Proxy Sessions        : 2
  • Total UC Proxy Sessions        : 2
  • Botnet Traffic Filter          : Disabled 

3.  When trying to set up Cisco AnyConnect on the ASA using ASDM, user noticed that he need to upload AnyConnect client images however when he did this by uploading the .dmg file for mac machines he got the error message "not a valid SVC image". Is this because he is running 8.2?

Solution

1. Cisco AnyConnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the AnyConnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license. 

2.

  •  SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the AnyConnect client as well as web portal based client also known as client less VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.
  • AnyConnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.
  • AnyConnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.
  • AnyConnect essentials: For AnyConnect there are two licenses a> AnyConnect Premium and b> AnyConnect Essentials. AnyConnect essentials is cheaper as compared AnyConnect premium license. This license is for those who do not use webvpn or client less VPN. When this license is enabled, the user can only connect from the AnyConnect VPN client.

3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.

 To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.
   svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg

If you requirement is to connect more clients at the same time then I would suggest you to purchase more licenses for AnyConnect and if you requirement is to connect only the anyconnect VPN client and not the client less one then go for the AnyConnect essential license which is cheaper as compared to the premium license and will fulfill all your requirements too.

Source Discussion

Cisco AnyConnect does it do IPsec?

Loading.

Actions

This Document