cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1447
Views
0
Helpful
3
Replies

ikev2 VPN without using a SSL license? (ASA-5512)

craig.cisco
Level 1
Level 1

Hi All,

I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool  (which I have lots of connection licenses for "Total VPN Peers : 250".

* Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?

* Do I have to consider 3rd party vpn clients, outside Anyconnect?

cya


Craig

1 Accepted Solution

Accepted Solutions

Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.

If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.

In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.


Sent from Cisco Technical Support iPad App

View solution in original post

3 Replies 3

Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.

If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.

In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.


Sent from Cisco Technical Support iPad App

One last question, (I know it sounds crazy) but is creating 20+ site to site vpn connections, even a technical option? Only say this because of the cisco license states site-to-site would be under the 250 license rule.

technical, you can build much more then 20 site-to-site VPNs. Personally I prefer using an IOS router for S2S because of the better flexibility in regard of VPN-technology, access-control in the tunnel and the routing through the VPNs. But for "normal" site2site needs your ASa will be perfectly fine.


Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: