Showing results for 
Search instead for 
Did you mean: 

Ask the Expert- SD-WAN

Crypto Licensing information


Purpose:  This document is just a repository for the various crypto licensing issues that users may run into.

ASA 5505 and 5510 Security Plus Licenses

  • Enables additional licensing and features for the smaller ASA models (5505 and 5510).  ASA 5505- enables more remote access clients.  ASA 5510 - enables VPN load balancing.

ASA Anyconnect Licensing

  • AnyConnect Premium.  2 licenses are included with every ASA.  Additional license are needed to go above 2, but purchasing those licenses means you lost the built in licensing - example:  you buy a 10 user premium license, you get a total of 10 premium users, not 12.  This license enables AnyConnect Secure  Mobility, Cisco Secure Desktop (Host Scan and Vault), and Cisco  AnyConnect Secure Mobility client connectivity; optionally provides full  tunneling access to enterprise applications.
  • Flex Licensing - enables temporary licenses for business continuity reasons in the event of a failure.  Example:  2 sites with 100 premium SSL licenses.  In the event of a catastrophic failure when a site will be offline for multiple days, you can get a flex license to install on your other site to handle the additional load from traffic for the other site.
  • Shared Licensing.   With an ASA as a licensing server, you can purchase licenses to be shared among other ASA 'clients' so that you don't have to buy individual licenses for each ASA.
  • AnyConnect Essentials.  Enables the anyconnect client *only* for up to the VPN peers limit of the ASA.  Once this is enabled, all AnyConnect premium features (CSD, AES, hostscan,) are disabled.
  • AnyConnect Mobile:  Required for mobile phone (cellular phone) support.  Only 1 license is needed to enable the feature  -this is not a 'per seat' license.
  • Advanced Endpoint Assessment:  Enables remdiation functionality of Cisco Secure Desktop.  Requires that an AnyConnect Premium license is present and active on the ASA.
  • AnyConnect for Cisco VPN Phone:  Allows connections from Cisco IP Phones using SSL.  Requires both the premium and the phone license.  SKU L-ASA-AC-PH-55XX= AnyConnect VPN Phone License - ASA 55XX - where XX is the last 2 digits of the ASA model number

IOS SSH and IPSec Licensing prior to 15.x

While  a license is not required to enable these features, SSH and  IPSec can only be activated by having a cryptographic image enabled for  your IOS image.  This is typically denoted by having a 'k9' in the image  name.

IOS ISR G2 Licensing

  • The above document explains the licensing for the ISR Generation 2 licensing.  Please see the above document to understand the licensing differences between IOS 12.4 and IOS 15 code.
  • IPSec features (DMVPN, GETVPN, VTI, IPSec, etc) require the activation of the SECK9 feature set.
  • Note: Some features are now "RightToUse" features.  If you see this value, or "EvalRightToUse", you do not need to install a license to use these features.  As per the EULA, you still must purchase the license after the 60 day evaluation, however, installation is unnecessary as after the Eval period the license becomes permanently active.

IOS HSEC Licensing

  • The  HSEC-K9 license removes the curtailment enforced by the U.S. government  export restrictions on the encrypted tunnel count and encrypted  throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951,  Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9  license, the ISR G2 router can go over the curtailment limit of 225  tunnels maximum for IP Security (IPsec) and encrypted throughput of  85-Mbps unidirectional traffic in or out of the ISR G2 router, with a  bidirectional total of 170 Mbps.
  • The  Cisco 1941, 2901, and 2911 already have maximum encryption capacities  within export limits. The HSEC license requires the universalk9 image  and the SECK9 feature-set pre-installed.

IOS SSLVPN Licensing

  • In order to enable SSLVPN (clientless and AnyConnect client access) a license is needed.  Please note:  not all AnyConnect features will work in IOS.  Please see the release notes for the version of AnyConnect that you are running.
  • Note: If 'show license' shows the SSLVPN licenses as "Active/Not In Use", you must then apply a webvpn configuration for these licenses to become "In Use".  Following the configuration of your webvpn gateway you will see the license become in use and the available count will be viewable by "show webvpn license".

Cisco Wireless Security Gateway Licensing:

  • The software license provides for unlimited use of features in the release with a defined number of connected subscribers, which may be limited by hardware resource capacity and traffic mix. The Cisco WSG subscriber license allows for increasing the number of connected subscribers in increments of 10,000 connected subscribers.

ASR Licensing

  • Cisco IOS XE Software is available in six  consolidated package options: IP Base (without cryptography), IP Base,  Advanced IP Services, Advanced Enterprise Services (without  cryptography), and Advanced Enterprise Services.  At first customer shipment (FCS), software  activation is supported on the ASR 1001 for some licenses. These  licenses enforce consolidated packages such as the software feature sets  for K9 and non-K9 IP Base, Advanced IP Services, and Advanced  Enterprise Services, as well as the performance upgrade from 2.5 Gbps  (default) to 5 Gbps.
  • Cisco IOS XE Software also offers you a granular  licensing schema. You can select individual feature licenses based on  your specific feature support requirements. Specific feature licenses  are provided in right-to-use (RTU), number-of-sessions (NOS), or both  formats, depending on the type of feature being licensed. An NOS license  is for the maximum number of simultaneous sessions that are allowed on  the Cisco ASR 1000 Series platform. At FCS the following features are  licensed separately: IP Security (IPsec) encryption, Firewall, Flexible  Packet Inspection (including Network-Based Application Recognition  [NBAR] and Flexible Packet Matching), Broadband Aggregation, and Cisco  Unified Border Element (SP Edition) (also known as Session Border  Controller [SBC]).