cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4929
Views
15
Helpful
13
Replies

Anyconnect 4.0 licensing with ASA-5515-FPWR

Patrick Meyer
Level 1
Level 1

Hi all,

I have some quick question where I can't find a clear answer for:

A customer wants to buy a new ASA for a showroom. He wants to connect 30 VPN phones and 60 VPN users, where only 10 of them are concurrently connected. So we would have two choices by now

- Either go with the Anyconnect 3.5 licensing, having a 50 SSL user premium license and the activation of VPN phones and mobility AC licenses

- Or go with the AC 4.0 licensing, where we would have to license 100 Users with PLUS licenses.

 

My questions are:

- Do I need any other/ More licensing on the ASA (i.e. SSL)

- Where do I install the license

- How is the number of users determined (i.e. AD groups, local accounts)

- Is there a documentation that clearly states the answers

 

Thank you all for your help.

2 Accepted Solutions

Accepted Solutions

If you want the phone itself to be the remote access VPN endpoint then, yes - you need the VPN phone license which in turn requires AnyConnect Premium (for 3.x installations)

AnyConnect Plus (for 4.x) does include "VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms and Cisco Phone VPN" (reference the January 2015 version of the AnyConnect 4.0 Ordering Guide)

View solution in original post

you're absolutely right.

Cisco told me that the license won't be enforced. They say it's a trust license.

We run a VPN service for a university with students coming and leaving. With 3.x we ran the service with a view 100 concurrent licenses. What number do I have to purchase with 4.x? 27.000 students + 4.000 staff?

View solution in original post

13 Replies 13

Collin Clark
VIP Alumni
VIP Alumni

The most cost effective solution would be AC 3.5; Anyconnect Essentials and Mobile.

That's all the licensing you need. Those licenses are for the device, not by user count.

The license is installed on the ASA

Concurrent users connected via VPN

Not that I know of

 

Hope it helps.

Thanks for the reply,

Although I thought for VPN phones I would need the VPN phone license as well.. Which requires Premium SSL license, if I am not mistaken.

Also I checked in CCW and the pricing for the new licenses really is less than the AC3.5 licensing..

 

For a 5515 the Premium-SSL-50 is priced at about 4.000USD

For AC4.0 the 100 User PLUS license (3y term) is priced at 200USD, the perpetual is at 630USD. Do I have a mistake in my assumptions?

Are you talking VoIP Phones or iphone/android phones?

A good place to get info on licensing is the Partner Helpdesk. 

http://www.cisco.com/web/partners/tools/helponline/index.html

I really meant Cisco hardphones. I raised a ticket at the PDI, still no response after about 1 week...

If you want the phone itself to be the remote access VPN endpoint then, yes - you need the VPN phone license which in turn requires AnyConnect Premium (for 3.x installations)

AnyConnect Plus (for 4.x) does include "VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms and Cisco Phone VPN" (reference the January 2015 version of the AnyConnect 4.0 Ordering Guide)

Garry Cross
Level 1
Level 1

I have been looking for information on Anyconnect 4.0 and licensing and found this thread. All of Patricks questions have not been answered. In particular is this point.

How is the number of users determined (i.e. AD groups, local accounts)

I cannot find anywhere how the ASA manages the technical details of "users" and matching them up with licenses. If the user database is not on the ASA, then how can it know the potential user count. What if I have over time connected 50 different users and I used up my licenses, but 25 of those users are no longer in the AD or LDAP or ISE or ACS...

Also what if I have Premium and now I need more, I am stuck with purchasing AC 4.0 because Premium is EOS. I haven't check the price of the migration license yet. Can I run with my Premium user license and add AC 4.0 licenses for my new users. Oh but I can't have AC 4.0 and AC 3.0 on the ASA at the same time. I'm getting a headache due to lack of info and details.

 

 

Garry,

AnyConnect license use is based on concurrent active users. Once a user is no longer connected, he or she no longer consumes a license. That is the same for both AC 3.x and 4.x

With 4.x, a given user connecting via several devices simultaneously (i.e. PC plus mobile device(s) ) only consumes a single license.

If you need to add Apex users after the AC 3.x End of Sales then yes - you need to migrate your existing AC Premium to Apex (via a no-cost migration license good for a 3 year term) and add new Apex term-based licenses as a separate line item.

Hope this helps.

 

Hi Marvin,

I'm not sure that this is true for AC 4.x. According to the ordering guide "The number of Cisco AnyConnect licenses needed is based on all the possible unique users that may use any Cisco AnyConnect service." So number of licenses is the number of users who are able to use the AnyConnect service. With 3.x the number of licenses is the number of simultanious users.

This is what Cisco told me yesterday.

I've gotten conflicting information from Cisco myself on this one. I don't see how "all the possible unique users" could ever be enforced.

Example 1. Say I have an employee that's using AC. The employee leaves the company, is removed from the authentication server, and never uses AC again. By the Cisco licensing logic you cited, they would still need to be licensed.

Example 2. Consider the case where we use a shared admin account for IT staff to log in remotely. Only one username authenticates but perhaps 3-4 users are involved. Do I require 1 or 3-4 licenses?

you're absolutely right.

Cisco told me that the license won't be enforced. They say it's a trust license.

We run a VPN service for a university with students coming and leaving. With 3.x we ran the service with a view 100 concurrent licenses. What number do I have to purchase with 4.x? 27.000 students + 4.000 staff?

I've relayed this message and added my own input to the Cisco product manager during Cisco Live last week.

One thing I did get is that they really mean "total unique users" to mean unique within a given period - 90 days was the rule of thumb. However that's not reflected in any of the ordering guide collateral provided to partners at this time.

We'll see if it results in any change to the scheme.

Marvin,

Did you ever find out how total unique users is enforced?  If I'm authenticating using LDAP does the ASA keep track of what users are using licenses?  Is there any way to manually remove a license from a user?  And what about splitting the licenses between two entry points into a network.  I've got two ASAs at different entry points into the network: do they somehow communicate used licenses or are do they split the licenses half and half?

It's not enforced via any technical means. It's strictly the "honor system" at this point.

AC 4.x activation keys for a single purchase may now be requested and applied to both your ASAs at different entry points. (i.e, The PAK with AC 4.x can be redeemed more than once.)