Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
3
Helpful
1
Replies

Anyconnect license issue?

Daniel Leonard
Level 1
Level 1

‎12-30-2012 06:20 AM - edited ‎02-21-2020 06:35 PM

Hi,

I’ve a question about the Anyconnect Premium license.

Yesterday I tested different Anyconnect profiles on an ASA5505 (9.0.1), everything works perfectly.

On the same ASA I’ve an IKEv2 site-to-site VPN. When I add the DH-group 14 and 19 to the IKEv2 policy and restart the site-to-site tunnel, the tunnel runs perfectly (with DH-group 19). So far so good. I don’t removed DH-group 5 in de IKEv2 policy, just added DH-group 14 and 19.

After these change, Anyconnect won't connect.  I got these log information when I try to connect with Anyconnect (IKEv2).

“Make sure that either an Anyconnect Premium license is installed on the ASA or that no NSA Suite B crypto algorithms are configured in the remote access IKEv2 policies or IPsec proposals.”

When I restore the IKEv2 policy to (only) DH-group 5, the problem is gone and Anyconnect can connect properly.

I found this information (Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1).

• NGE requires an AnyConnect premium license for IKEv2 remote access connections using NSA

Suite B algorithms. Suite B algorithm usage for other connections or purposes (such as PKI) has no

limitations. License checks are performed for remote access connections. If you receive a message

that you are attempting to use an NSA Suite B crypto algorithm without an AnyConnect premium

license, you have the option to either install the premium license or reconfigure the crypto settings

to an appropriate level.

What is going on?? As far as I know the ASA5505 have default 2 Premium licenses…

Here’s the license info.

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 3              DMZ Restricted

Dual ISPs                         : Disabled       perpetual

VLAN Trunk Ports                  : 0              perpetual

Inside Hosts                      : 10             perpetual

Failover                          : Disabled       perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Cluster                           : Disabled       perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running permanent key.

Please rate or mark answered for helpful posts.
Labels:
0 Helpful
1 Reply 1

Daniel Leonard
Level 1
Level 1

‎12-30-2012 12:39 PM


Hi,

After more research I found this document on the Cisco website.

Q. Is Next-Generation Encryption available on all platforms?

A. Next-Generation Encryption is fully supported on the following Cisco  Adaptive Security Appliance Series: ASA 5500-X (5515, 5525, 5545, and  5555), ASA 5580, ASA 5585, and ASA-SM. Next-Generation Encryption is  only partially supported on the Cisco ASA 5505, 5510, 5520, 5540, and  5550 Series Adaptive Security Appliances due to hardware limitations.  Cisco AnyConnect Secure Mobility Client 3.1 or later and an AnyConnect Premium license are also required to use Next-Generation Encryption for remote access connections.

I think the problem would be the hardware, ASA5505 is not supporting DH-group 14,19 etc. for Anyconnect 3.x. But, IKEv2 site-to-site seems to support DH-group 14,19 etc.

Please correct me if I’m wrong.

Thanks

Please rate or mark answered for helpful posts.
Customers Also Viewed These Support Documents