ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA & AnyConnect Licensing.

26863
Views
25
Helpful
2
Comments

Every Cisco ASA comes with a certain number of implicitly activated features and capacities as part of a Base License.


Base License: This license has capabilities that are fixed to the model/platform and cannot be selectively disable. An example of this is on the ASA 5585-X Active/Active Failover will be always available. Some other platforms offer the optional Security Plus License, which unlocks additional features and capacities on top of the Base License.


Basic Platform Capabilities:  These are elementary characteristics of how an ASA device connects to the network,  how it  establishes the quantity and speed capabilities of a physical and logical interfaces and also limits the number of protected connections and inside host.


Cisco ASA 5500 Series Business Edition Solution Overview

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/prod_brochure0900aecd80402e36.html


AnyConnect Licensing

The previous AnyConnect licensing model include AnyConnect Essentials and AnyConnect Premium; as of AnyConnect 4 the Licensing Model migrated from AnyConnect Essentials to AnyConnect Plus and AnyConnect Premium to AnyConnect APEX.

The following show version was taken from an ASA 5515 (Demo License). In order to recognize if an ASA has an AnyConnect 4 license you have to make sure of the following.

  1. AnyConnect for Mobile is enabled.
  2. AnyConnect for Cisco VPN Phone is enabled
  3. AnyConnect 4 Licenses will display as AnyConnect Premium licenses when you issue the show version command (This regardless of the quantity of users the customer acquired) as the maximum AnyConnect Premium License count for the ASA hardware platform. On this example the ASA 5512-X supports up to 250 VPN Premium Peers.

The following chart will serve as a guide to recognize the Maximum Premium Peers per platform.

Why AnyConnect for VPN Phone and AnyConnect for Mobile are enabled?

From this reference document: 


http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/feature/guide/anyconnect40features.html, you will see that AnyConnect Plus supports PC and Mobile platforms. This explains why AnyConnect for Mobile is enabled.

From the reference document:

http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf; which is the Cisco AnyConnect Ordering Guide you will find that AnyConnect for Cisco VPN Phone is available, this will explain why it appear as enabled on the show version command.

FAQs

1. Why would you look to upgrade from SVC 3.X to SVC 4.X?

a. Basically you will look for an AnyConnect upgrade since AnyConnect 3.X has been announced to be end of life; Application software support will not be available for the stated software versions beyond March 31, 2018. Reference Link: http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility- client/eos-eol-notice-c51-734084.html

b. You would like to upgrade to AnyConnect 4.X in order to use TLS 1.2 in order to pass PCI Compliance as TLS 1.0 is considered insecure for many PCI Compliance companies.

2. What platforms that will support the next-Gen encryption TLS 1.2

a. All Next Generation Firewall [5500-X Series as of ASA Release 9.3.2]


3. What is required to download the 4.X client?

a. An AnyConnect 4 PAK registered on a CCO ID Account.


1. Would a user will be able to connect using a client version 4.X to an ASA with SVC Premium/Essentials installed?

a. Yes, but it will use TLS 1.0 protocol regardless of the version the ASA is running. This type of connection was permitted in order to allow Mobile devices with the latest SVC client (4.X) to connect even when the customer hasn’t been able to install the Apex/Plus license.

Comments
Beginner

"The following show version was taken from an ASA 5515 (Demo License). In order to recognize if an ASA has an AnyConnect 4 license you have to make sure of the following.

 

  1. AnyConnect for Mobile is enabled.
  2. AnyConnect for Cisco VPN Phone is enabled
  3. AnyConnect 4 Licenses will display as AnyConnect Premium licenses when you issue the show version command (This regardless of the quantity of users the customer acquired) as the maximum AnyConnect Premium License count for the ASA hardware platform."

 

Since the 'sh ver' command does not display the type of anyconnect 4.x license installed. How do I know if the license installed is APEX or PLUS on an ASA ? Is it correct to say along with the three points mentioned in the above post, if ‘Advanced Endpoint assessment’ is enabled it is APEX and if it is disabled it is PLUS ? 

 

The following show version was taken from an ASA 5515 (Demo License). In order to recognize if an ASA has an AnyConnect 4 license you have to make sure of the following.

 

  1. AnyConnect for Mobile is enabled.
  2. AnyConnect for Cisco VPN Phone is enabled
  3. AnyConnect 4 Licenses will display as AnyConnect Premium licenses when you issue the show version command (This regardless of the quantity of users the customer acquired) as the maximum AnyConnect Premium License count for the ASA hardware platform.
Beginner

how do we figure out if VPNO is in use or Apex/Plus?