Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
2
Replies

ASA PAK to APEX Licenses with additional mobile feature

MS-JK
Level 1
Level 1

‎09-28-2021 07:50 PM - edited ‎09-28-2021 07:53 PM

Existing:  HA pair active/standby ASA 5585-SP20 running version 9.12 with VPN Premium License.

Want: Enabling the "anyconnect mobile" feature on existing ASAs VPN utilizing new APEX license and keeping all other existing licensing in place.

 

Existing License INFO:

image.png

 

New License to be applied on the ASA:

image.png

When issuing activation-key on the existing ASA to apply new APEX license from above, a warning is received:

 

The following features available in running permanent activation key are NOT available in new permanent activation key:

Any Connect Essentials

10GE I/O

 

image.png

 

Question 1: I'm assuming here that the NEW AnyConnect Premium license is a replacement of the new Essentials license? And I will not see ANY outage to existing VPN clients. What about the actual reference in the running-config for "anyconnect-essentials"  - will this be replaced with the new license?

image.png

 

Question 2: The 10GE I/O Plus feature in the NEW license should replace the existing 10GE I/O license correct? My 10G interfaces will not go down with the new license.

Question 3: Will there be any outage (aka reboot required) for new licenses to take effect or this HA pair?

Question 4: Any recommended step procedure for HA pairs here to maybe break the pairs and only test this on primary and fail to secondary just in case licenses mess things up?

 

Thank you for your feedback!!

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-28-2021 08:31 PM

1. If you had AnyConnect Essentials (3.x license type and still referenced even on ASAs running 4.x licenses) and update your ASA with an activation key that includes AnyConnect Apex then yes the "anyconnect-essentials" command will be removed. That bit allows you to use all of the advanced AnyConnect features including what used to be separately licensed such as Advanced Endpoint Assessment, AnyConnect for Mobile etc.

2. You should request TAC regenerate an activation key that includes the 10GE I/O however. That's independent of AnyConnect and might not be automatically included when generating the key via self-service.

3. No outage or reboot is required.

4. We don't usually do this as it adds more complexity and introduces the possibility of unrelated problems. I do recommend saving the current activation key first (from both units in an HA pair) so that you can easily revert to it in case of any issue. Generally speaking, HA pairs share the licenses (since release 8.3+) with just a few exceptions.

0 Helpful

MS-JK
Level 1
Level 1
In response to Marvin Rhoads

‎09-28-2021 08:44 PM

Hi Marvin - thanks for your reply and feedback. The 10G interfaces - the new license has 10G I/O Plus. I'm wondering if this is same (can't find why/what the "plus" means vs just 10GE I/O. Existing ASAs have 10G I/O enabled and license for them. One would assume its the same, but cant find reference.

 

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card