cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18978
Views
0
Helpful
12
Replies

Cisco Anyconnect users License

omer_babiker
Level 1
Level 1

Hi all,

Here is my license information:

   

Cisco Adaptive Security Appliance Software Version 8.2(5)26
Device Manager Version 6.4(7)


Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                  : Unlimited
Failover                      : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                  : Enabled
Security Contexts              : 2
GTP/GPRS                      : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment  : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license

I just want to increase the number of Anyconnect users. Do I just buy the ( ASA5500-SSL-10) license or Anyconnect Essentials license.

In other words, does the current license support more than 2 users if I buy  ASA5500-SSL-10?

How can I buy such a license and how can I install it in the asa?

Thanks & your Help is highly appreciated.

Omer

2 Accepted Solutions

Accepted Solutions

Correct, you can buy either option 1 or 2, but for option 2, you just need the AnyConnect Premium license as ASA5500-SSL-10 is the AnyConnect Premium license.

here is more information on the AnyConnect license:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

On ASA5520, it supports 750 concurrent users with AnyConnect Essential license.

AnyConnect Essential is cheaper than the AnyConnect Premium license, however, I have no idea how much it costs.

View solution in original post

you can calculate with about $800 for the 10-User-Premium and $200 for the Essentials (based on Amazon.com).

View solution in original post

12 Replies 12

Jennifer Halim
Cisco Employee
Cisco Employee

Depending on what you are after, if you just want full tunnel SSL VPN (AnyConnect), then you can buy the AnyConnect Essential license. However, if you need full tunnel SSL VPN, clientless SSL VPN and the advanced feature of SSL VPN, then you would need the AnyConnect Premium license (user base license), and ASA5500-SSL-10 will allow you 10 concurrent SSL connections.

You can buy the license from Cisco Partner/Reseller, and you will receive PAK which you can activate online:

https://tools.cisco.com/SWIFT/LicensingUI/Home

Then it will provide you with activation key that you will need to enter on the ASA using the command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a2.html#wp1658657

Hope that answers your questions.

Thanks Jennifer,

Let us see if I get this correctly: I have two options:

1- Buy Anyconnect Essential license

or

2- Buy AnyConnect Premium license (user base license) + ASA5500-SSL-10 license

               (for SSL VPN + clientless SSL VPN)

One last thing; How many concurrent users does the essential license support? how much you think it will cost roughly?

Correct, you can buy either option 1 or 2, but for option 2, you just need the AnyConnect Premium license as ASA5500-SSL-10 is the AnyConnect Premium license.

here is more information on the AnyConnect license:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

On ASA5520, it supports 750 concurrent users with AnyConnect Essential license.

AnyConnect Essential is cheaper than the AnyConnect Premium license, however, I have no idea how much it costs.

Hi Jennifer,

Some questions arise to my head, could you please help to clarify them.

Does upgrading to essentials license requires reload?

Is there any specific way to upgrade when using Acive/Standby failover?

I want to avoid any downtime.

Thanks,

Omer

No, upgrading to AnyConnect Essential license does not require any reload. You just have to apply the new activation key that include the license, and also configure anyconnect essential command under your webvpn config.

To avoid downtime, please configure both the activation key to the respective ASA (check the serial# is correct) at the same time. This will not cause any downtime. Since you are running version 8.2.5, you would need to have the same license on both ASA, otherwise it will disable the failover. If you are running version 8.3 and above, you don't have to run the same license on ASA and failover will continue to work.

Thanks Jennifer, but I didn't get how you can configure both ASA's at the same time!

I've read in some documentation that I have to disable the failover in the active unit, and then configure the activation key for both. After that enable the failover. Is that correct?

In many terminal-programms you can ssh into more that one host and combine those sessions. Every command you type is then sent to both sessions at the same time. With that the configuration should work without doing any harm to your setup.

Hi Karsten,

Sorry, but still I didn't get it!! How can two different commands (different activation keys) be sent at the same time.

I'm using TeraTerm, and not sure if I can combine sessions on it

Usually, when I configure a command in the configuration mode in the active ASA; it immediately get reflected in the standby one (e.g: access-list command). If that's the case for the activation-key command, it will create problem as the activation key can only be used once as far as I know.

Also, if I disable the failover (using no failover command) in the active unit; does this stop reflecting the commands to the standby unit??

Thanks,

You can open 2 tera term session, ie: telnet or ssh to both Active and Standby ASA. Then configure the activation key respectively on both ASA before you click "Enter" to send the command to both ASA. Once you confirm the command has been typed in correctly, hit "Enter" on one ASA then immediately on the other ASA. This will send the activation key at more or less the same time. Activation key does not get replicated to the standby unit btw.

To minimize the chance of breaking your failover for longer time then needed, you can paste both activation-keys to both ASAs. One key gets rejected and the other is applied.

Sent from Cisco Technical Support iPad App

you can calculate with about $800 for the 10-User-Premium and $200 for the Essentials (based on Amazon.com).

Thanks Jennifer & Karsten

That was so helpful. I learned a lot from you guys

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: