cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
61038
Views
74
Helpful
25
Replies

Anyconnect Premium License

joe.ho
Level 1
Level 1
1 Accepted Solution

Accepted Solutions

Correct - you would need L-ASA-SSL-250.

Buying that will get you an activation code which, when installed on your appliance, will change

     AnyConnect Premium Peers          : 2      perpetual

To "250" (as opposed to the default 2).

Please rate helpful posts.

View solution in original post

25 Replies 25

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA-VPNS-500= and ASA-VPNP-5510= products are for a setup where you have a cluster of ASAs serving remote access browser-based (clientless) SSL VPN clients. The first item sets up your server to be able to had out licenses for 500 remote access users. The second item allows an ASA 5510 to participate in the cluster.

For more traditional remote access VPN clients (client-based SSL or IPSec VPN) you need AnyConnect (Essentials or Premium). The Premium version adds the ability to use Cisco Secure Desktop features.

Part numbers for those are:

AnyConnect Essentials:

L-ASA-AC-E-55XX= (5510 in your case)

AnyConnect Premium:

L-ASA-SSL-10, L-ASA-SSL-25, L-ASA-SSL-50, L-ASA-SSL-100, L-ASA-SSL-250, L-ASA-SSL-500, L-ASA-SSL-700, L-ASA-SSL-1000, L-ASA-SSL-2500, L-ASA-SSL-5000, or L-ASA-SSL-10K

Upgrade Part Numbers: L-ASA-SSL-10-25, L-ASA-SSL-25-50, L-ASA-SSL-50-100, L-ASA-SSL-100-250, L-ASA-SSL-100-500, L-ASA-SSL-100-750, L-ASA-SSL-100-1K, L-ASA-SSL-250-500, L-ASA-SSL-500-750, L-ASA-SSL-500-5K, L-ASA-SSL-750-1K, L-ASA-SSL-1K-2500, L-ASA-SSL-2500-5K, L-ASA-SSL-5K-10K

If you want to do Advanced Endpoint Assessment, that is an additional license - L-ASA-ADV-END-SEC - which has AnyConnect Premium as a prerequisite.

Thanks for the information. I just want to double confirm. I don't want to order the wrong license. The name are too close to get confuse.

I want to get name straight because I need to get a quote for clientless and client SSL VPN.

I only have a single ASA 5510. If I want the clientless and client SSL VPN should I be listing these

AnyConnect Premium (client SSL VPN) L-ASA-SSL-250

Browser-based clientless SSL VPN     ASA-VPNS-500=

Is that all I need to get the clientless and client SSL VPN going? No additional license on top of that? Is 500 clientless SSL VPN is the minimum? Nothing less than that?

AnyConnect client-based SSL VPN requires only L-ASA-AC-E-5510= for a single 5510.

Clientless (browser-based) SSL VPN requires one of the AnyConnect Premium licenses whose part numbers I listed above. They are available as the names suggest in increments of 10, 25, 50, 100 etc.

The ASA 5510 allows a maximum of 250 Anyconnect Premium clients so the 500+ licensing levels are not applicable for you.

The ASA-VPNS-500= part number is only for when you are setting up a cluster of ASAs to share licenses across multiple appliances. Typically you would only do that with larger installations thus the starting number of 500 in that scenario.

NOTE: AnyConnect Essentials and AnyConnect Premium licenses can NOT be run simultaneously on the same appliance. Once you go the Premium route you are tied to the Premium per-user licensing and the per-appliance model of Essentials is no longer an option.

I understand now. I only need L-ASA-SSL-100-250 and that will give me client and clientless SSL VPN capabilites.

Not to confuse people. I put the upgrade part number. I will need L-ASA-SSL-250.

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 100            perpetual

Inside Hosts                      : Unlimited      perpetual

Failover                          : Active/Active  perpetual

VPN-DES                           : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Security Contexts                 : 2              perpetual

GTP/GPRS                          : Disabled       perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 250            perpetual

Total VPN Peers                   : 250            perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Correct - you would need L-ASA-SSL-250.

Buying that will get you an activation code which, when installed on your appliance, will change

     AnyConnect Premium Peers          : 2      perpetual

To "250" (as opposed to the default 2).

Please rate helpful posts.

Hi Marvin, can you explain me correctly/exactly what is the difference/definition between the AnyConnect premium peers and AnyConnect Essentials.

My ASA version is: ASA5585-SSP-40

AnyConnect premium peers: 2

AnyConnect Essentials: 1000

 

So i want to configure ASA to support VPN ssl connection.. and i want to know if i have the correct licenses..

 

 

All ASAs include the 2 Premium peer licenses. They are mostly for evaluation and the occasional network admin remote access.

You have the purchased license for AnyConnect Essentials. You can use it for remote access SSL VPN (client-based) just fine.

Premium licenses add the capability for clientless SSL VPN (plus a few other less common features).

An ASA has to run one type or the other even if you have both licenses - when you activate the "anyconnect-esentials" command, it disables the Premium features globally on the ASA.

Hi Marvin,

Currently I have cisco ASA HA Pair with default premium license. I have got the PAK code for ASA5500-SSL-250=, but I hve been advseid that part ASA5500-SSL-250=  is not eh right one for upgrading from default 2 to 250 premium vpn ayconnect. I need to buy upgrade license. Is that true? if yes what would be the part number and upgrade process from 2 to 250 premium vpn anyocnnect on this HA pair. 

Could you pleaes advise which license shoudl I buy for this upgrade_

show run ffrom the ha pair-

Cisco Adaptive Security Appliance Software Version 9.1(5)19
Device Manager Version 7.2(2)

Compiled on Thu 23-Oct-14 14:14 PDT by builders
System image file is "disk0:/asa915-19-smp-k8.bin"
Config file at boot was "startup-config"

ahpra-syd-au-hacasa1 up 249 days 1 hour
failover cluster up 349 days 5 hours

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB

SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5525 VPN Premium license.


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5525 VPN Premium license.

thanks

Arman,

There is no upgrade SKU for the 2 base licenses as they are included with the base ASA image. So the PAK you have is the right one to go to 250 premium users. The part number is now end of sales but it can still be redeemed for an activation key.  

I notice your ASA has Essentials licensed at the 750 users (platform limit) level. The Premium features cannot be simultaneously active with Essentials. You can use one or the other but not both as the 'AnyConnect-essentials' command disables premium-only features like clientless. 

Hi Marvin,

Thanks a lot for your reply. 

So in my ASA HA pair I've to activate the license only on the acitve ASA as I am running version 9.1(5)19. So to upgrade to premium license i have to do as follows-

1. Deactivate essential license

conf t

webvnp  

no anyconnect-essentials

2. Activate premium licesnse.

conf t

activation-key xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 

Also to confirm i dont need to reload to upgrade to premium anyconnect license?

could you please calrify on the above points? thanks

You're welcome Arman.

1. That's correct (although you had a typo at 'webvpn'). 

2. Yes. No reload is necessary (although it's a good idea just to ensure that all is in order prior to the possible event of some future unscheduled reload). 

Thanks a lot marvin. will let you know how it goes with the upgrade. 

Can you tell me the steps for enabling the feature "Anyconncet for mobile"? One of my client had recently bought the Anyconnect Essentials License. Can you help out with the steps to follow?