Solved: fp1120 in ASA mode run anyconnect

MohammadKayed · ‎06-28-2020

Below is the show version outputs. It said AnyConnect Premium Peers : 150

Which is the device limit of users , and I know that the ASA will use the device limit despite the license installed.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      
Maximum VLANs                     : 512            
Inside Hosts                      : Unlimited      
Failover                          : Active/Active  
Encryption-DES                    : Enabled        
Encryption-3DES-AES               : Enabled        
Security Contexts                 : 3              
Carrier                           : Disabled       
AnyConnect Premium Peers          : 150            
AnyConnect Essentials             : Disabled       
Other VPN Peers                   : 150            
Total VPN Peers                   : 150            
AnyConnect for Mobile             : Enabled        
AnyConnect for Cisco VPN Phone    : Enabled        
Advanced Endpoint Assessment      : Enabled        
Shared License                    : Disabled       
Total TLS Proxy Sessions          : 320            
Cluster                           : Disabled

But my question from where the ASA took this license ? is it considered as entitlement ?

I can see that in my account anyconnect plus license used is 0 and purchased 50 , Also from show version the essential is disabled and the TLS 320 which means this license is more about Apex than Plus.

So does it mean when the ASA registered through the Token and take the standard entitlement , It will use the device limit despite the license in the account ?

My questions are :

-What is the standard license exactly ? some devices are activating the 3DES without asking for extra entitlement from the account , so it will vary according to what exactly we have purchased and might include any-connect ?

-this any-connect (Cisco AnyConnect Plus License) license in the account is it for ASA or FTD ?

-How the device is using the any-connect license currently ?

Marvin Rhoads · ‎06-28-2020

Your entitlement is according to what you have purchased.

No matter the number you purchase, the device (ASA or FTD, virtual or physical) will always show the platform maximum because one user can have multiple connections at the same time and the licenses are per unique user.

Similarly your purchased license(s) can be used on multiple headends - ASA and FTD or a mix of both. It is up to the admin to remain compliant with the entitled number of licenses. Cisco does not currently enforce it on the devices (beyond the platform maximum and difference between Plus or Apex (previously known as Essentials or Premium and still appearing that way in the show command output)).

View solution in original post

Marvin Rhoads · ‎06-28-2020

Your entitlement is according to what you have purchased.

No matter the number you purchase, the device (ASA or FTD, virtual or physical) will always show the platform maximum because one user can have multiple connections at the same time and the licenses are per unique user.

Similarly your purchased license(s) can be used on multiple headends - ASA and FTD or a mix of both. It is up to the admin to remain compliant with the entitled number of licenses. Cisco does not currently enforce it on the devices (beyond the platform maximum and difference between Plus or Apex (previously known as Essentials or Premium and still appearing that way in the show command output)).

MohammadKayed · ‎06-28-2020

Thank you for your replay.

Does the purchased number in my account (50) is cosmetic ? To prove that I am complaint.(purchased 50 , in use 0 , balance 50)

Previously as I remember in another account we had 3 licenses:

Apex , plus and vpn only and the they were in use (in use number was not 0) by FTD devices.

Because of that i am asking about this license.

Also all customers will have any connect premium license activated or according to what the ASA will know it should go for the device limit or stays with 2 licenses.

Marvin Rhoads · ‎06-28-2020

Purchased/licensed number only appears in your software.cisco.com page for Smart and Classic AnyConnect Plus and Apex licenses. VPN Only is a bit different as it applies to concurrent connections.

Any ASA will show the two "Premium" licenses (included for demo use) until it has either an activation-key (classic license for ASA hardware appliances) or Smart License (for ASAv and ASA on Firepower hardware) applied. Then it will show the platform maximum.

MohammadKayed · ‎06-28-2020

Thank you again.

Yes i mean the license on the smart account is not being used and shown as balance +50

But the standard and context are in use.

So adding a token to have fpr1100 standard entitlement will make the device reach the maximum for any connect?

Why the anyconnect license is not showing in use 1 in my account, what is the purpose of having this mentioned in my account.

MohammadKayed · ‎06-28-2020

As you can see in here I have two FPR 1120.

I tried to ask for extra entitlement ( extra 1 context in each device ):

#license smart

#feature context

without having balance in my account , I can see after the balance is -2 and the status is out of compliance for that entitlement.

But the question , what the number 50 mean ?

I have another account for FTD devices I can see the license has been used from the account ( in use is not 0 ) , It will be used in case of PLR ?

Marvin Rhoads · ‎06-28-2020

You are now asking about ASA licenses. Those are to run ASA image on Firepower and not directly related to Firepower.

You also mentioned PLR (Permanent License Reservation), a separate topic.

If you're using PLR, your license portal will look different. Normally when we have AnyConnect smart licensing (without PLR) we see a quantity 99999 indicating you can use the licenses on as many headends as you have. PLR is a very uncommon feature and I would recommend you consult with your Cisco Account Manager or SE to better understand it if your environment uses PLR.