01-23-2014 05:29 AM - edited 02-21-2020 07:27 PM
Hi,
We've had contradicting advice on AnyConnect licensing. We currently have two 5520 appliances in active/standby, each ASA had an AnyConnect Premium (50 peers) license installed, but following the (very sensible) change in 8.3 (I think), the total available premium peers is now 100, since we can now use both 50 packs across an active/standby cluster. We purchased these licenses specifically for using SSL WebVPN.
However, we also have the AnyConnect Essentials license installed, enabling us to use basic AnyConnect VPN functionality for the maximum 750 peers that 5520's support.
So, our licensing on the ASA looks like this...
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 100 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
We're now looking to replace the two 5520s with 5525s... and are preparing the costs for the new units, including licensing and SmartNet contracts. The conflicting advice is that we can't install both AnyConnect premium and essentials on the same failover pair (contrary to our current setup)...
Table 10
http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license.html
(The AnyConnect Essentials license cannot be active at the same time as the following licenses on a given ASA: AnyConnect Premium license (all types) or the Advanced Endpoint Assessment license.)
Two questions...
1) Is this correct?
2) If we purchased 100 AnyConnect premium licenses, but did not purchase an Essentials license... would the premium license still allow us to use AnyConnect basic VPN functionality for the maximum supported number of VPN peers for the 5525?
Thanks in advance
Tony
01-23-2014 11:29 AM
I have not seen an ASA licensed with both Essentials and Premium at the same time. From everything I have heard, it's one or the other. I do know that if you get 100 licenses for premium, you will only have 100 Anyconnect connections to your ASA. Essentials will not be enabled.
Most of the clients we install ASA's for only get the Essentials license since either they have no reason for publishing apps (like you can do w/ Premium) or use another way to publish apps (like Citrix).
HTH,
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide