Purpose: This document is just a repository for the various crypto licensing issues that users may run into.
ASA 5505 and 5510 Security Plus Licenses
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
- Enables additional licensing and features for the smaller ASA models (5505 and 5510). ASA 5505- enables more remote access clients. ASA 5510 - enables VPN load balancing.
ASA Anyconnect Licensing
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html
- AnyConnect Premium. 2 licenses are included with every ASA. Additional license are needed to go above 2, but purchasing those licenses means you lost the built in licensing - example: you buy a 10 user premium license, you get a total of 10 premium users, not 12. This license enables AnyConnect Secure Mobility, Cisco Secure Desktop (Host Scan and Vault), and Cisco AnyConnect Secure Mobility client connectivity; optionally provides full tunneling access to enterprise applications.
- Flex Licensing - enables temporary licenses for business continuity reasons in the event of a failure. Example: 2 sites with 100 premium SSL licenses. In the event of a catastrophic failure when a site will be offline for multiple days, you can get a flex license to install on your other site to handle the additional load from traffic for the other site.
- Shared Licensing. With an ASA as a licensing server, you can purchase licenses to be shared among other ASA 'clients' so that you don't have to buy individual licenses for each ASA.
- AnyConnect Essentials. Enables the anyconnect client *only* for up to the VPN peers limit of the ASA. Once this is enabled, all AnyConnect premium features (CSD, AES, hostscan,) are disabled.
- AnyConnect Mobile: Required for mobile phone (cellular phone) support. Only 1 license is needed to enable the feature -this is not a 'per seat' license.
- Advanced Endpoint Assessment: Enables remdiation functionality of Cisco Secure Desktop. Requires that an AnyConnect Premium license is present and active on the ASA.
- AnyConnect for Cisco VPN Phone: Allows connections from Cisco IP Phones using SSL. Requires both the premium and the phone license. SKU L-ASA-AC-PH-55XX= AnyConnect VPN Phone License - ASA 55XX - where XX is the last 2 digits of the ASA model number
IOS SSH and IPSec Licensing prior to 15.x
While a license is not required to enable these features, SSH and IPSec can only be activated by having a cryptographic image enabled for your IOS image. This is typically denoted by having a 'k9' in the image name.
IOS ISR G2 Licensing
http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html
- The above document explains the licensing for the ISR Generation 2 licensing. Please see the above document to understand the licensing differences between IOS 12.4 and IOS 15 code.
- IPSec features (DMVPN, GETVPN, VTI, IPSec, etc) require the activation of the SECK9 feature set.
- Note: Some features are now "RightToUse" features. If you see this value, or "EvalRightToUse", you do not need to install a license to use these features. As per the EULA, you still must purchase the license after the 60 day evaluation, however, installation is unnecessary as after the Eval period the license becomes permanently active.
IOS HSEC Licensing
http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html#wp9001375
The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.
The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SECK9 feature-set pre-installed.
IOS SSLVPN Licensing
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ssl_vpn.html#wp1473502
- In order to enable SSLVPN (clientless and AnyConnect client access) a license is needed. Please note: not all AnyConnect features will work in IOS. Please see the release notes for the version of AnyConnect that you are running.
- Note: If 'show license' shows the SSLVPN licenses as "Active/Not In Use", you must then apply a webvpn configuration for these licenses to become "In Use". Following the configuration of your webvpn gateway you will see the license become in use and the available count will be viewable by "show webvpn license".
Cisco Wireless Security Gateway Licensing:
http://www.cisco.com/en/US/prod/collateral/wireless/wirelssw/ps10346/data_sheet_c78-532047.pdf
- The software license provides for unlimited use of features in the release with a defined number of connected subscribers, which may be limited by hardware resource capacity and traffic mix. The Cisco WSG subscriber license allows for increasing the number of connected subscribers in increments of 10,000 connected subscribers.
ASR Licensing
http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c25-448292.html
- Cisco IOS XE Software is available in six consolidated package options: IP Base (without cryptography), IP Base, Advanced IP Services, Advanced Enterprise Services (without cryptography), and Advanced Enterprise Services. At first customer shipment (FCS), software activation is supported on the ASR 1001 for some licenses. These licenses enforce consolidated packages such as the software feature sets for K9 and non-K9 IP Base, Advanced IP Services, and Advanced Enterprise Services, as well as the performance upgrade from 2.5 Gbps (default) to 5 Gbps.
- Cisco IOS XE Software also offers you a granular licensing schema. You can select individual feature licenses based on your specific feature support requirements. Specific feature licenses are provided in right-to-use (RTU), number-of-sessions (NOS), or both formats, depending on the type of feature being licensed. An NOS license is for the maximum number of simultaneous sessions that are allowed on the Cisco ASR 1000 Series platform. At FCS the following features are licensed separately: IP Security (IPsec) encryption, Firewall, Flexible Packet Inspection (including Network-Based Application Recognition [NBAR] and Flexible Packet Matching), Broadband Aggregation, and Cisco Unified Border Element (SP Edition) (also known as Session Border Controller [SBC]).