cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7477
Views
0
Helpful
3
Replies

Anyconnect license clarification needed

Good day everyone,
I know it has been discussed before but still after reading cisco.com and Netpro resources
I came up confused about this, so would much appreciate clarification,if possible with references .
Issue is simple - ASA5505 , client wants to have 25 AnyConnect users to be able to connect simultaneously (no need specifically in clientless, network mode Anyconnect will do).
My question is - will L-ASA-AC-E-5505= license provide for this ?
if not, then which one instead of this or in addition (Security Plus, L-ASA-SSL-25=, something else) ?

My problem understanding the documentation is that many sources say that cumulative number of
connected VPN clients cannot pass [and here definitions vary] - " maximum concurrent IPsec session count shown in the chart [here ASA5505 is 25]. " or " number of licensed sessions on the device" [how do I see this in ASA ?]  ...

To simplify my question I see following possible combinations, which one will provide for 25 AnyConnect client users ?

Base License + L-ASA-AC-E-5505=
Base  License + L-ASA-SSL-25=
Plus license + L-ASA-AC-E-5505=

Thanks
Yuri


PS Some references I consulted so far :
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

https://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_license.html#wp1971019
https://supportforums.cisco.com/message/3569899#3569899

Sh ver of ASA:

System image file is "disk0:/asa832-k8.bin"

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB

Licensed features for this platform:

Maximum Physical Interfaces    : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                          : Disabled       perpetual
VLAN Trunk Ports                : 0              perpetual
Inside Hosts                         : 10             perpetual
Failover                                 : Disabled       perpetual
VPN-DES                               : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Enabled        perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA 5505 Base License by itself allows 10 simultaneous IPsec peers.

Adding either AnyConnect Essentials (L-ASA-AC-E-5505=) or the Security Plus license (ASA5505-SEC-PL=) increases that limit to 25. The advantage of Essentials is that it adds support for AnyConnect clients (IPsec-IKEv2 or client-based SSL VPN remote access) as opposed to the older IPSec-IKEv1 Cisco VPN client you would otherwise be limited to.

Your output above indicates you have AnyConnect Essentials license activated so you should be good to go.

Note you are limited to 10 inside hosts due to your user level license (limitation unique to 5505). To increase that you would need either ASA5505-SW-10-50= or ASA5505-SW-50-UL= to increase it to 50 or unlimited users, respectively.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA 5505 Base License by itself allows 10 simultaneous IPsec peers.

Adding either AnyConnect Essentials (L-ASA-AC-E-5505=) or the Security Plus license (ASA5505-SEC-PL=) increases that limit to 25. The advantage of Essentials is that it adds support for AnyConnect clients (IPsec-IKEv2 or client-based SSL VPN remote access) as opposed to the older IPSec-IKEv1 Cisco VPN client you would otherwise be limited to.

Your output above indicates you have AnyConnect Essentials license activated so you should be good to go.

Note you are limited to 10 inside hosts due to your user level license (limitation unique to 5505). To increase that you would need either ASA5505-SW-10-50= or ASA5505-SW-50-UL= to increase it to 50 or unlimited users, respectively.

Thanks a lot

Yuri

Sorry to hijack a thread, but I too need just a little clarification.

Current licensing shows

Licensed features for this platform:

Maximum Physical Interfaces    : 8        

VLANs                          : 3, DMZ Restricted

Inside Hosts                   : 50       

Failover                       : Disabled

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

SSL VPN Peers                  : 2        

Total VPN Peers                : 10       

Dual ISPs                      : Disabled 

VLAN Trunk Ports               : 0        

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has a Base license.

I have about 15 users that want VPN capability (not sure how many would be connected concurrently, but assume it would be more than 2) If I am reading you correctly, I can add the Anyconnect essentials L-ASA-AC-E-5505= and that would allow up to 25 VPN users, but they would need to use the anyconnect client and not the web based ssl (not a problem)  or I could add the L-ASA5505-SEC-PL= to allow the same number of VPN connections????  but the L-ASA5505-SEC-PL= costs almost 10 times what the L-ASA-AC-E-5505= does. (at least using CDW pricing)

To add to my confusion the Cisco chat tech told me to purchase L-ASA-SSL-10= to allow 10 VPN users (at an even higher cost) - - - and I am hoping to allow a few of my users to connect using an android tablet - Does that require a mobility license for each android tablet? or just a mobility license for the 5505 to allow "non computer" connections?

Thanks for any clarification

Dennis

Review Cisco Networking for a $25 gift card