cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7933
Views
55
Helpful
23
Replies

ise licensing renewal

bluesea2010
Level 5
Level 5

Hi,

My cisco ise license is expiring and try to renew but the license won't get on time due to  the situation  . Is it possible to add a trial license  

Thanks

1 Accepted Solution

Accepted Solutions

Your end users will not be impacted when the license expires.

As noted in my reply from 6 April:

Alerts will be provided every day that a license is out of compliance. For term licenses, alerts are provided, 90, 60 and 30 days before expiry and also for the last 30 consecutive days before expiry.
Impact: There will be no impact to end users. Existing configuration continues to operate without disruption. However, visibility and management of the features associated with an out-of-compliance license will be affected.

 

View solution in original post

23 Replies 23

Marvin Rhoads
Hall of Fame
Hall of Fame

Your expired license will continue to work for end users. Management of the features for expired licenses will be curtailed.

See the following, quoted from the ordering guide:

 

Relevant ISE releases: 2.2 and later
Out of compliance: A license is out of compliance when
(a) the deployment uses more than 125% (to account for a temporary burst of usage) sessions compared to the quantity purchased; or
(b) the licenses have expired without renewal.
Compliance enforcement: The impact described below is experienced after a deployment is out of compliance for 45 out of 60 consecutive days.
Alerts will be provided every day that a license is out of compliance. For term licenses, alerts are provided, 90, 60 and 30 days before expiry and also for the last 30 consecutive days before expiry.
Impact: There will be no impact to end users. Existing configuration continues to operate without disruption. However, visibility and management of the features associated with an out-of-compliance license will be affected.

Hi @Marvin Rhoads 

under license  usage ,current usage  use shows like below 

 

base  : licensed  500 consumed 15000

apex  :icensed  500 consumed 0

plus    licensed 500 consumed  0 

 

In that case  ,how do I calculate the  qty  required  for the base license ?

and Why  apex and plus   shows consumed 0 

second thing ,  I have now base ,apex and plus  , each qty 500 .When I renew  do I need to renew the same amount  for each

Or I can remove the  apex and plus 

Thanks 

 

 

It sounds like your deployment is improperly licensed in comparison to what you are using.

If none of your policies use features in the Plus or Apex tiers then you can safely remove the expired/expiring licenses and be just fine.

Base licenses never expire but if you are using 15000 vs. 500 purchased then you are very much out of compliance.

hi @Marvin Rhoads 

As far as I know  Anyconnect  requires apex  license , but I am confused  why apex does not show any 

usage 

I am planning to  assign ip address based on the users group  for wireless users . so I need plus license 

 

One more question  , when I  renew license  still do I need to get support license additionally 

 

Thanks

 

 

First, AnyConnect licensing is never reflected in your ISE deployment. You only need AnyConnect Apex licenses if you are using ISE for Posture/Compliance use case and not using agentless posture. If you have no posture policies then you don't need AnyConnect Apex.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc18

If you are using AnyConnect Network Access Manager (NAM) module as your 802.1x supplicant (which can be done with ISE Base licenses) it only requires AnyConnect Plus licenses (still, AnyConnect licenses - no matter what type - are managed completely separate from your ISE deployment).

Hi @Marvin Rhoads 

You are really helpful . 

Thanks for the reply . it would be great help if you tell me the difference between the below 

 

1 ) L-ISE-BSE-PLIC  and L-ISE-BSE-P3

2 ) L-ISE-PLS-LIC and  L-ISE-PLS-1Y-S3

you said "First, AnyConnect licensing is never reflected in your ISE deployment " .

what you mean by  

Anyconnect license is on ASA , right ? 

Do we need anyconnect apex on license on ASA and    ise apex license  at the same time for posture/ compliance 

Thanks  

 

 

 

 

 

 

 

 

L-ISE-BSE-PLIC is the top level SKU for ISE Base licenses. Depending on how many are in a given order the price varies and a different sub-SKU applies. L-ISE-BSE-P3 is for orders with 500-999 licenses.

L-ISE-PLS-LIC and the associated sub-SKU is similar with the added distinction that Plus (and Apex) licenses are term-based so they also specify the term (1, 3 or 5 years).

AnyConnect Apex licensing on the ASA is necessary if you are doing posture compliance checking for your remote access VPN clients. On the ASA it appears as "AnyConnect Premium" (the old nomenclature) and, no matter how many are in the purchase, activating an AnyConnect PAK on the ASA will always show the maximum number supported by the hardware - not the purchased number. This is because you are licensed per unique users, not by number of potential sessions.

You could also be doing posture compliance checking on wired or wireless clients (non-VPN) and they would also require AnyConnect Apex licenses. In this latter case, no appliance actually monitors usage of those licenses - it is up to the admin to know what is being installed and remain compliant with the terms of the licensing agreement (i.e., with respect to number used).

Hi @Marvin Rhoads 

Thanks a lot of your support . My maintenance support team  advised  to delete the existing  subscription license(not trial) for base ,apex plus- 500 qty reach 

and add a trial license or base ,apex plus- 100 qty  till we get the subscription license . His point is that if base  license expired nothing will work , your vpn authentication may stop , wireless authentication fails . Based on your previous reply I tried to convince him authentication process will continue .  

 

what is the impact of deleting the existing  license (base ,plus ,apex)  ,add evaluation license and later import 500  subscription license .

Any benefit or negative impact .

My current license renewal  is under process  , I will receive only after subscription license expires .

 

Thanks a million 

 

 

 

@bluesea2010 ISE Base licenses generally don't expire (exception being the old mobility licenses but we seldom see those anymore since they haven't been sold for the past four years and had a maximum five year term). So there's no reason to delete your permanent Base licenses.

I don't mean to disparage anyone, but it sounds like your maintenance support team might not be very familiar with ISE licensing. Still, if you want to follow their advise vs. that of someone who's been working with ISE for about 8 years, that's your call.

Hi @Marvin Rhoads 

The license is bought  5 years back for five year term  . So it may be  mobility license  ? 

attached the screenshot , is it mobility license . 

 

" but it sounds like your maintenance support team might not be very familiar with ISE licensing." 

 

That's true . Thats the reason I am following your advise . 

Now  I got confused  . How to verify that I am using mobility license . 

 

 

Thanks 

Yes - you have the old Mobility license. It is no longer sold or eligible for renewal.

So you would indeed have to delete the existing license to install a 90-day Evaluation license. However make sure you can get one first - that is, actually get it and confirm it.

Cisco would technically have the right to not issue an evaluation license to a deployment that already has a purchased term license.

Best approach is to buy the proper license that you require. Those are typically issued within 24-48 hours after the sales order is placed in the Cisco system.

 

Hi @Marvin Rhoads 

 

So in that case , if I don't renew I will loose all the connectivity . I have only two days .

currently  my apex and plus usage is 0 , so If I renew only base license  remote users (VPN) can authenticate  ? 

Thanks

 

Your end users will not be impacted when the license expires.

As noted in my reply from 6 April:

Alerts will be provided every day that a license is out of compliance. For term licenses, alerts are provided, 90, 60 and 30 days before expiry and also for the last 30 consecutive days before expiry.
Impact: There will be no impact to end users. Existing configuration continues to operate without disruption. However, visibility and management of the features associated with an out-of-compliance license will be affected.

 

Hi @Marvin Rhoads 

"Your end users will not be impacted when the license expires."

I got your point . 

I thought this is only for the new license and not for the old mobility license scheme

Thanks