cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

988
Views
0
Helpful
3
Replies
Highlighted
Beginner

ikev2 VPN without using a SSL license? (ASA-5512)

Hi All,

I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool  (which I have lots of connection licenses for "Total VPN Peers : 250".

* Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?

* Do I have to consider 3rd party vpn clients, outside Anyconnect?

cya


Craig

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: ikev2 VPN without using a SSL license? (ASA-5512)

Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.

If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.

In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.


Sent from Cisco Technical Support iPad App

3 REPLIES 3
VIP Mentor

Re: ikev2 VPN without using a SSL license? (ASA-5512)

Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.

If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.

In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.


Sent from Cisco Technical Support iPad App

Beginner

ikev2 VPN without using a SSL license? (ASA-5512)

One last question, (I know it sounds crazy) but is creating 20+ site to site vpn connections, even a technical option? Only say this because of the cisco license states site-to-site would be under the 250 license rule.

VIP Mentor

Re: ikev2 VPN without using a SSL license? (ASA-5512)

technical, you can build much more then 20 site-to-site VPNs. Personally I prefer using an IOS router for S2S because of the better flexibility in regard of VPN-technology, access-control in the tunnel and the routing through the VPNs. But for "normal" site2site needs your ASa will be perfectly fine.


Sent from Cisco Technical Support iPad App