Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5071
Views
0
Helpful
7
Replies

Anyconnect and IPSec on ASA5505

Go to solution
robert_bukowicki
Level 1
Level 1

‎01-21-2013 03:49 AM - edited ‎02-21-2020 06:38 PM

hello,

ASA 5505 has only 2 SSL VPN peers and 25 VPN peers. When we connect to our company via AnyConnect I can see that these persons use protocol IKEv2 IPsecOverNatT. so it's suggested that they don't use SSL VPN. But when the third person is trying to connect via AnyConnect, receives information about failied login.

is it possible to set up AnyConnect or on ASA that everyone who is defined on ASA uses only IPsec, not SSL VPN?

I'm using

ASA version: 9.1

ASDM version: 7.1

thanks for your help 

Robert

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-21-2013 04:07 AM

For AnyConnect you need an additional license if you want to exceed two concurent users. This is also for IPSec.

You have two choices:

1) Buy the license L-ASA-AC-E-5505= it's about $50)

2) Configure IKEv1 and use the traditional IPSec VPN-Client (EOS/EOL is announced for the Cisco client, but there are many other clients available)

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to robert_bukowicki

‎01-21-2013 06:54 AM

According to Vishnu, Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2  connection. If you want the user to connect using IPSECv2 from the  Anyconnect client then it will consume the SSL license and not the IPsec  license however if you use IPSECv2 for connections like site to site  vpn then it will consume normal IPSec VPN license. https://supportforums.cisco.com/thread/2149289

hth

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to robert_bukowicki

‎01-21-2013 07:46 AM

I don't really understand what you mean, but for remote-access it's quite simple:

- legacy VPN (IKEv1) is free

- modern VPN (SSL and IKEv2) comes with a fee

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rudy Sanjoko
Level 4
Level 4

‎01-21-2013 04:02 AM

What is the error message when they tried to login using AnyConnect? If someone is using AnyConnect, it means that they are using SSL VPN, if you don't want to use SSL VPN because of the license issue, then you can also use VPN client not AnyConnect but you will need to change the VPN configuration on the ASA as well. In short, VPN client is for IPSec VPN and AnyConnect client is for SSL VPN.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-21-2013 04:07 AM

For AnyConnect you need an additional license if you want to exceed two concurent users. This is also for IPSec.

You have two choices:

1) Buy the license L-ASA-AC-E-5505= it's about $50)

2) Configure IKEv1 and use the traditional IPSec VPN-Client (EOS/EOL is announced for the Cisco client, but there are many other clients available)

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
robert_bukowicki
Level 1
Level 1
In response to Karsten Iwen

‎01-21-2013 05:53 AM

hi Karsten,

if I good understood....it doesn't metter how many licenses of VPNs I have. If I use AnyConnect I have to take into consideration only SSL VPN peers.

thanks

Robert

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to robert_bukowicki

‎01-21-2013 06:14 AM

I just realized that AnyConnect can also be used for normal IPSec VPN

0 Helpful

Go to solution
robert_bukowicki
Level 1
Level 1
In response to Rudy Sanjoko

‎01-21-2013 06:28 AM

hi Rudy,

so why I couldn't use VPN connection when 2 persons were logged to my company's ASA?

everyone uses AnyConnect and everyone received the same infortmation like on the file below

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to robert_bukowicki

‎01-21-2013 06:54 AM

According to Vishnu, Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2  connection. If you want the user to connect using IPSECv2 from the  Anyconnect client then it will consume the SSL license and not the IPsec  license however if you use IPSECv2 for connections like site to site  vpn then it will consume normal IPSec VPN license. https://supportforums.cisco.com/thread/2149289

hth

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to robert_bukowicki

‎01-21-2013 07:46 AM

I don't really understand what you mean, but for remote-access it's quite simple:

- legacy VPN (IKEv1) is free

- modern VPN (SSL and IKEv2) comes with a fee

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents