11-27-2020 12:22 PM
We just purchased an additional 200 AnyConnect Plus licenses to go with the previous 25 we had before. I went into our Smart Account and converted the PAK to a SmartLicense, and the refreshed the Smart License in the FMC. However, I just can't figure out where to see that we now have 225 licenses available now in the FMC. Is there anywhere to confirm I;ve added everything correctly? Admin guide is not helping...thanks.
Solved! Go to Solution.
11-28-2020 03:36 AM - edited 11-28-2020 03:43 AM
It's still not available as of FTD (or FMC) 6.7:
> show vpn-sessiondb summary --------------------------------------------------------------------------- VPN Session Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concur : Inactive ---------------------------------------------- AnyConnect Client : 0 : 5 : 1 : 0 SSL/TLS/DTLS : 0 : 5 : 1 : 0 --------------------------------------------------------------------------- Total Active and Inactive : 0 Total Cumulative : 5 Device Total VPN Capacity : 250 Device Load : 0% --------------------------------------------------------------------------- >
Even though the Smart portal shows you the purchased number of licenses, it gives you a misleading count as it registers the number of devices that have registered licenses to the portal - not the number of licenses in use.
For instance, in this example we are looking at a customer with an HA pair of Firepower 2140 appliances running FTD 6.7. They have on average 100-150 users connected but the portal will only ever show "2" in used because that's the number of appliances. It will never show the number of users vs. what's in use. That's a limitation of the software at this time.
11-30-2020 06:27 AM
You're welcome. When you associate your FTD devices with your smart account (or an ASA with a PAK-based AnyConnect 4.x license) AnyConnect licenses they will then accept up to the maximum number of simultaneous sessions supported by the platform. So there's no worry about users being rejected until you reach the platform limit.
Your licensed limit for AnyConnect is a "right to use" license - read that as you are responsible for ensuring compliance and Cisco does not (currently) enforce it at the device level. We sometimes refer to this as the "honor system".
11-27-2020 12:26 PM
I found this previous Community response: https://community.cisco.com/t5/vpn/show-anyconnect-vpn-smart-licenses-usage/m-p/4051126/highlight/true#M270876
Looks like FTD and FMC simply cannot show this data.
11-27-2020 12:30 PM
Hi @cfitzgerald
Not from the FMC itself, but on the FTD CLI does the command "show vpn-sessiondb" or "show vpn-sessiondb license-summary" provide the information you require?
HTH
11-30-2020 05:57 AM
"show vpn-sessiondb license-summary"
Is not a valid command on my FTD. show vpnsessiondb does not show how many anyconnect licenses are available.
11-28-2020 03:36 AM - edited 11-28-2020 03:43 AM
It's still not available as of FTD (or FMC) 6.7:
> show vpn-sessiondb summary --------------------------------------------------------------------------- VPN Session Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concur : Inactive ---------------------------------------------- AnyConnect Client : 0 : 5 : 1 : 0 SSL/TLS/DTLS : 0 : 5 : 1 : 0 --------------------------------------------------------------------------- Total Active and Inactive : 0 Total Cumulative : 5 Device Total VPN Capacity : 250 Device Load : 0% --------------------------------------------------------------------------- >
Even though the Smart portal shows you the purchased number of licenses, it gives you a misleading count as it registers the number of devices that have registered licenses to the portal - not the number of licenses in use.
For instance, in this example we are looking at a customer with an HA pair of Firepower 2140 appliances running FTD 6.7. They have on average 100-150 users connected but the portal will only ever show "2" in used because that's the number of appliances. It will never show the number of users vs. what's in use. That's a limitation of the software at this time.
11-30-2020 06:00 AM
thanks for your help. So there is probably no way to know whether you are approaching you AnyConnect limit other than manually watching the vpnsessiondb count, or possibly catching a syslog message when a user authentication is rejected.
I sure hope the 200 new licenses we purchased are synced with my FTDs...
11-30-2020 06:27 AM
You're welcome. When you associate your FTD devices with your smart account (or an ASA with a PAK-based AnyConnect 4.x license) AnyConnect licenses they will then accept up to the maximum number of simultaneous sessions supported by the platform. So there's no worry about users being rejected until you reach the platform limit.
Your licensed limit for AnyConnect is a "right to use" license - read that as you are responsible for ensuring compliance and Cisco does not (currently) enforce it at the device level. We sometimes refer to this as the "honor system".
11-30-2020 06:39 AM
Ah thank you. This is good to know.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: