Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4876
Views
17
Helpful
7
Replies

View the number of AnyConnect smart licenses in FMC

Go to solution
cfitzgerald
Level 1
Level 1

‎11-27-2020 12:22 PM

We just purchased an additional 200 AnyConnect Plus licenses to go with the previous 25 we had before. I went into our Smart Account and converted the PAK to a SmartLicense, and the refreshed the Smart License in the FMC. However, I just can't figure out where to see that we now have 225 licenses available now in the FMC. Is there anywhere to confirm I;ve added everything correctly? Admin guide is not helping...thanks.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-28-2020 03:36 AM - edited ‎11-28-2020 03:43 AM

It's still not available as of FTD (or FMC) 6.7:

> show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      0 :          5 :           1 :        0
  SSL/TLS/DTLS               :      0 :          5 :           1 :        0
---------------------------------------------------------------------------
Total Active and Inactive    :      0             Total Cumulative :      5
Device Total VPN Capacity    :    250
Device Load                  :     0%
---------------------------------------------------------------------------

>

Even though the Smart portal shows you the purchased number of licenses, it gives you a misleading count as it registers the number of devices that have registered licenses to the portal - not the number of licenses in use.

For instance, in this example we are looking at a customer with an HA pair of Firepower 2140 appliances running FTD 6.7. They have on average 100-150 users connected but the portal will only ever show "2" in used because that's the number of appliances. It will never show the number of users vs. what's in use. That's a limitation of the software at this time.

Smart Software Licensing AnyConnect Inventory.PNG

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cfitzgerald

‎11-30-2020 06:27 AM

You're welcome. When you associate your FTD  devices with your smart account  (or an ASA with a PAK-based AnyConnect 4.x license) AnyConnect licenses they will then accept up to the maximum number of simultaneous sessions supported by the platform. So there's no worry about users being rejected until you reach the platform limit.

Your licensed limit for AnyConnect is a "right to use" license - read that as you are responsible for ensuring compliance and Cisco does not (currently) enforce it at the device level. We sometimes refer to this as the "honor system".

View solution in original post

7 Replies 7

Go to solution
cfitzgerald
Level 1
Level 1

‎11-27-2020 12:26 PM

I found this previous Community response: https://community.cisco.com/t5/vpn/show-anyconnect-vpn-smart-licenses-usage/m-p/4051126/highlight/true#M270876

 

Looks like FTD and FMC simply cannot show this data.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎11-27-2020 12:30 PM

Hi @cfitzgerald 

Not from the FMC itself, but on the FTD CLI does the command "show vpn-sessiondb" or "show vpn-sessiondb license-summary" provide the information you require?

 

HTH

Go to solution
cfitzgerald
Level 1
Level 1
In response to Rob Ingram

‎11-30-2020 05:57 AM

"show vpn-sessiondb license-summary"

Is not a valid command on my FTD. show vpnsessiondb does not show how many anyconnect licenses are available.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-28-2020 03:36 AM - edited ‎11-28-2020 03:43 AM

It's still not available as of FTD (or FMC) 6.7:

> show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      0 :          5 :           1 :        0
  SSL/TLS/DTLS               :      0 :          5 :           1 :        0
---------------------------------------------------------------------------
Total Active and Inactive    :      0             Total Cumulative :      5
Device Total VPN Capacity    :    250
Device Load                  :     0%
---------------------------------------------------------------------------

>

Even though the Smart portal shows you the purchased number of licenses, it gives you a misleading count as it registers the number of devices that have registered licenses to the portal - not the number of licenses in use.

For instance, in this example we are looking at a customer with an HA pair of Firepower 2140 appliances running FTD 6.7. They have on average 100-150 users connected but the portal will only ever show "2" in used because that's the number of appliances. It will never show the number of users vs. what's in use. That's a limitation of the software at this time.

Smart Software Licensing AnyConnect Inventory.PNG

Go to solution
cfitzgerald
Level 1
Level 1
In response to Marvin Rhoads

‎11-30-2020 06:00 AM

thanks for your help. So there is probably no way to know whether you are approaching you AnyConnect limit other than manually watching the vpnsessiondb count, or possibly catching a syslog message when a user authentication is rejected.

I sure hope the 200 new licenses we purchased are synced with my FTDs...

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cfitzgerald

‎11-30-2020 06:27 AM

You're welcome. When you associate your FTD  devices with your smart account  (or an ASA with a PAK-based AnyConnect 4.x license) AnyConnect licenses they will then accept up to the maximum number of simultaneous sessions supported by the platform. So there's no worry about users being rejected until you reach the platform limit.

Your licensed limit for AnyConnect is a "right to use" license - read that as you are responsible for ensuring compliance and Cisco does not (currently) enforce it at the device level. We sometimes refer to this as the "honor system".

Go to solution
cfitzgerald
Level 1
Level 1
In response to Marvin Rhoads

‎11-30-2020 06:39 AM

Ah thank you. This is good to know.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card