cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

2793
Views
15
Helpful
13
Replies
Highlighted
Beginner

Anyconnect 4.0 licensing with ASA-5515-FPWR

Hi all,

I have some quick question where I can't find a clear answer for:

A customer wants to buy a new ASA for a showroom. He wants to connect 30 VPN phones and 60 VPN users, where only 10 of them are concurrently connected. So we would have two choices by now

- Either go with the Anyconnect 3.5 licensing, having a 50 SSL user premium license and the activation of VPN phones and mobility AC licenses

- Or go with the AC 4.0 licensing, where we would have to license 100 Users with PLUS licenses.

 

My questions are:

- Do I need any other/ More licensing on the ASA (i.e. SSL)

- Where do I install the license

- How is the number of users determined (i.e. AD groups, local accounts)

- Is there a documentation that clearly states the answers

 

Thank you all for your help.

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Guru

If you want the phone itself

If you want the phone itself to be the remote access VPN endpoint then, yes - you need the VPN phone license which in turn requires AnyConnect Premium (for 3.x installations)

AnyConnect Plus (for 4.x) does include "VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms and Cisco Phone VPN" (reference the January 2015 version of the AnyConnect 4.0 Ordering Guide)

View solution in original post

Beginner

you're absolutely right.Cisco

you're absolutely right.

Cisco told me that the license won't be enforced. They say it's a trust license.

We run a VPN service for a university with students coming and leaving. With 3.x we ran the service with a view 100 concurrent licenses. What number do I have to purchase with 4.x? 27.000 students + 4.000 staff?

View solution in original post

13 REPLIES 13
Advisor

The most cost effective

The most cost effective solution would be AC 3.5; Anyconnect Essentials and Mobile.

That's all the licensing you need. Those licenses are for the device, not by user count.

The license is installed on the ASA

Concurrent users connected via VPN

Not that I know of

 

Hope it helps.

Beginner

Thanks for the reply,Although

Thanks for the reply,

Although I thought for VPN phones I would need the VPN phone license as well.. Which requires Premium SSL license, if I am not mistaken.

Also I checked in CCW and the pricing for the new licenses really is less than the AC3.5 licensing..

 

For a 5515 the Premium-SSL-50 is priced at about 4.000USD

For AC4.0 the 100 User PLUS license (3y term) is priced at 200USD, the perpetual is at 630USD. Do I have a mistake in my assumptions?

Advisor

Are you talking VoIP Phones

Are you talking VoIP Phones or iphone/android phones?

A good place to get info on licensing is the Partner Helpdesk. 

http://www.cisco.com/web/partners/tools/helponline/index.html

Beginner

I really meant Cisco

I really meant Cisco hardphones. I raised a ticket at the PDI, still no response after about 1 week...

Hall of Fame Guru

If you want the phone itself

If you want the phone itself to be the remote access VPN endpoint then, yes - you need the VPN phone license which in turn requires AnyConnect Premium (for 3.x installations)

AnyConnect Plus (for 4.x) does include "VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms and Cisco Phone VPN" (reference the January 2015 version of the AnyConnect 4.0 Ordering Guide)

View solution in original post

Beginner

I have been looking for

I have been looking for information on Anyconnect 4.0 and licensing and found this thread. All of Patricks questions have not been answered. In particular is this point.

How is the number of users determined (i.e. AD groups, local accounts)

I cannot find anywhere how the ASA manages the technical details of "users" and matching them up with licenses. If the user database is not on the ASA, then how can it know the potential user count. What if I have over time connected 50 different users and I used up my licenses, but 25 of those users are no longer in the AD or LDAP or ISE or ACS...

Also what if I have Premium and now I need more, I am stuck with purchasing AC 4.0 because Premium is EOS. I haven't check the price of the migration license yet. Can I run with my Premium user license and add AC 4.0 licenses for my new users. Oh but I can't have AC 4.0 and AC 3.0 on the ASA at the same time. I'm getting a headache due to lack of info and details.

 

 

Hall of Fame Guru

Garry,AnyConnect 4.0 license

Garry,

AnyConnect license use is based on concurrent active users. Once a user is no longer connected, he or she no longer consumes a license. That is the same for both AC 3.x and 4.x

With 4.x, a given user connecting via several devices simultaneously (i.e. PC plus mobile device(s) ) only consumes a single license.

If you need to add Apex users after the AC 3.x End of Sales then yes - you need to migrate your existing AC Premium to Apex (via a no-cost migration license good for a 3 year term) and add new Apex term-based licenses as a separate line item.

Hope this helps.

 

Beginner

Hi Marvin,I'm not sure that

Hi Marvin,

I'm not sure that this is true for AC 4.x. According to the ordering guide "The number of Cisco AnyConnect licenses needed is based on all the possible unique users that may use any Cisco AnyConnect service." So number of licenses is the number of users who are able to use the AnyConnect service. With 3.x the number of licenses is the number of simultanious users.

This is what Cisco told me yesterday.

Hall of Fame Guru

I've gotten conflicting

I've gotten conflicting information from Cisco myself on this one. I don't see how "all the possible unique users" could ever be enforced.

Example 1. Say I have an employee that's using AC. The employee leaves the company, is removed from the authentication server, and never uses AC again. By the Cisco licensing logic you cited, they would still need to be licensed.

Example 2. Consider the case where we use a shared admin account for IT staff to log in remotely. Only one username authenticates but perhaps 3-4 users are involved. Do I require 1 or 3-4 licenses?

Beginner

you're absolutely right.Cisco

you're absolutely right.

Cisco told me that the license won't be enforced. They say it's a trust license.

We run a VPN service for a university with students coming and leaving. With 3.x we ran the service with a view 100 concurrent licenses. What number do I have to purchase with 4.x? 27.000 students + 4.000 staff?

View solution in original post

Hall of Fame Guru

I've relayed this message and

I've relayed this message and added my own input to the Cisco product manager during Cisco Live last week.

One thing I did get is that they really mean "total unique users" to mean unique within a given period - 90 days was the rule of thumb. However that's not reflected in any of the ordering guide collateral provided to partners at this time.

We'll see if it results in any change to the scheme.

Beginner

Marvin,Did you ever find out

Marvin,

Did you ever find out how total unique users is enforced?  If I'm authenticating using LDAP does the ASA keep track of what users are using licenses?  Is there any way to manually remove a license from a user?  And what about splitting the licenses between two entry points into a network.  I've got two ASAs at different entry points into the network: do they somehow communicate used licenses or are do they split the licenses half and half?

Hall of Fame Guru

It's not enforced via any

It's not enforced via any technical means. It's strictly the "honor system" at this point.

AC 4.x activation keys for a single purchase may now be requested and applied to both your ASAs at different entry points. (i.e, The PAK with AC 4.x can be redeemed more than once.)

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here