Solved: Re: fp2100 in asa mode run anyconnect

TCAM · ‎03-20-2019

Hi - How to determine FP2100 in asa mode installed with anyconnect license?

Below is the show version outputs. It said AnyConnect Premium Peers : 3500

Does it mean this box is capable to handle up to 3500 anyconnect client or client-less connections?

I thought now a day, AnyConnect is a subscription-based license per year, if it is, how to check? Thanks

Maximum Physical Interfaces : Unlimited
Maximum VLANs : 1024
Inside Hosts : Unlimited
Failover : Active/Active
Encryption-DES : Enabled
Encryption-3DES-AES : Enabled
Security Contexts : 2
Carrier : Disabled
AnyConnect Premium Peers : 3500
AnyConnect Essentials : Disabled
Other VPN Peers : 3500
Total VPN Peers : 3500
AnyConnect for Mobile : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment : Enabled
Shared License : Disabled
Total TLS Proxy Sessions : 8000
Cluster : Disabled

Marvin Rhoads · ‎03-26-2019

By default it will show the 2 "Premium" (actually Apex these days but they haven't updated the output) licenses included with all ASAs.

Once you install a license the count in the output will change to the platform maximum no matter whether you license was for the minimum, maximum or somewhere in between.

It's up to the customer admin to know how many licenses they need an purchase the appropriate number. Only using what you're licensed for is part of the End User License Agreement (EULA). The count is not currently enforced by the appliance.

That applies for Plus, Apex or VPN Only AnyConnect license types.

View solution in original post

Marvin Rhoads · ‎03-21-2019

Since Anyconnect 4.x, "show version" or "show activation-key" always shows the maximum number of remote access VPN clients supported by the platform.

You cannot see the number actually licensed - that is an administrative thing you need to keep track of on your own. It's a limitation of the current software not matching the licensing model.

TCAM · ‎03-26-2019

Thanks Marvin - So the show version output is just showing the platform can support up to 3500 connections, it doesn't mean 3500 anyconnect users can connect to the box? In the other words, I still need to purchase AnyConnect Apex license for AnyConnect user to connect to the box. Am I understand you correctly? Thanks

Marvin Rhoads · ‎03-26-2019

By default it will show the 2 "Premium" (actually Apex these days but they haven't updated the output) licenses included with all ASAs.

Once you install a license the count in the output will change to the platform maximum no matter whether you license was for the minimum, maximum or somewhere in between.

It's up to the customer admin to know how many licenses they need an purchase the appropriate number. Only using what you're licensed for is part of the End User License Agreement (EULA). The count is not currently enforced by the appliance.

That applies for Plus, Apex or VPN Only AnyConnect license types.

TCAM · ‎03-26-2019

Thanks, your 2nd to last paragraph is interesting, It sounds like if I just install 5 licenses, I can still use all 3500 connection since Cisco has not yet enforced the requirements, Like a honor system.

Marvin Rhoads · ‎03-26-2019

It is an "honor system" with a EULA. Don't count on it being that way forever though.

AnyConnect isn't really all that expensive when one considers all it provides. There's no good reason to not pay for value received.

TCAM · ‎03-27-2019

Thanks Marvin, I agreed, we should pay for the license.