05-30-2012 08:03 AM - edited 02-21-2020 06:06 PM
Solved! Go to Solution.
05-30-2012 02:30 PM
Correct - you would need L-ASA-SSL-250.
Buying that will get you an activation code which, when installed on your appliance, will change
AnyConnect Premium Peers : 2 perpetual
To "250" (as opposed to the default 2).
Please rate helpful posts.
05-30-2012 01:18 PM
The ASA-VPNS-500= and ASA-VPNP-5510= products are for a setup where you have a cluster of ASAs serving remote access browser-based (clientless) SSL VPN clients. The first item sets up your server to be able to had out licenses for 500 remote access users. The second item allows an ASA 5510 to participate in the cluster.
For more traditional remote access VPN clients (client-based SSL or IPSec VPN) you need AnyConnect (Essentials or Premium). The Premium version adds the ability to use Cisco Secure Desktop features.
Part numbers for those are:
AnyConnect Essentials:
L-ASA-AC-E-55XX= (5510 in your case)
AnyConnect Premium:
L-ASA-SSL-10, L-ASA-SSL-25, L-ASA-SSL-50, L-ASA-SSL-100, L-ASA-SSL-250, L-ASA-SSL-500, L-ASA-SSL-700, L-ASA-SSL-1000, L-ASA-SSL-2500, L-ASA-SSL-5000, or L-ASA-SSL-10K
Upgrade Part Numbers: L-ASA-SSL-10-25, L-ASA-SSL-25-50, L-ASA-SSL-50-100, L-ASA-SSL-100-250, L-ASA-SSL-100-500, L-ASA-SSL-100-750, L-ASA-SSL-100-1K, L-ASA-SSL-250-500, L-ASA-SSL-500-750, L-ASA-SSL-500-5K, L-ASA-SSL-750-1K, L-ASA-SSL-1K-2500, L-ASA-SSL-2500-5K, L-ASA-SSL-5K-10K
If you want to do Advanced Endpoint Assessment, that is an additional license - L-ASA-ADV-END-SEC - which has AnyConnect Premium as a prerequisite.
05-30-2012 01:55 PM
Thanks for the information. I just want to double confirm. I don't want to order the wrong license. The name are too close to get confuse.
I want to get name straight because I need to get a quote for clientless and client SSL VPN.
I only have a single ASA 5510. If I want the clientless and client SSL VPN should I be listing these
AnyConnect Premium (client SSL VPN) L-ASA-SSL-250
Browser-based clientless SSL VPN ASA-VPNS-500=
Is that all I need to get the clientless and client SSL VPN going? No additional license on top of that? Is 500 clientless SSL VPN is the minimum? Nothing less than that?
05-30-2012 02:06 PM
AnyConnect client-based SSL VPN requires only L-ASA-AC-E-5510= for a single 5510.
Clientless (browser-based) SSL VPN requires one of the AnyConnect Premium licenses whose part numbers I listed above. They are available as the names suggest in increments of 10, 25, 50, 100 etc.
The ASA 5510 allows a maximum of 250 Anyconnect Premium clients so the 500+ licensing levels are not applicable for you.
The ASA-VPNS-500= part number is only for when you are setting up a cluster of ASAs to share licenses across multiple appliances. Typically you would only do that with larger installations thus the starting number of 500 in that scenario.
NOTE: AnyConnect Essentials and AnyConnect Premium licenses can NOT be run simultaneously on the same appliance. Once you go the Premium route you are tied to the Premium per-user licensing and the per-appliance model of Essentials is no longer an option.
05-30-2012 02:21 PM
I understand now. I only need L-ASA-SSL-100-250 and that will give me client and clientless SSL VPN capabilites.
05-30-2012 02:25 PM
Not to confuse people. I put the upgrade part number. I will need L-ASA-SSL-250.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
05-30-2012 02:30 PM
Correct - you would need L-ASA-SSL-250.
Buying that will get you an activation code which, when installed on your appliance, will change
AnyConnect Premium Peers : 2 perpetual
To "250" (as opposed to the default 2).
Please rate helpful posts.
08-24-2015 06:29 AM
Hi Marvin, can you explain me correctly/exactly what is the difference/definition between the AnyConnect premium peers and AnyConnect Essentials.
My ASA version is: ASA5585-SSP-40
AnyConnect premium peers: 2
AnyConnect Essentials: 1000
So i want to configure ASA to support VPN ssl connection.. and i want to know if i have the correct licenses..
08-24-2015 08:26 PM
All ASAs include the 2 Premium peer licenses. They are mostly for evaluation and the occasional network admin remote access.
You have the purchased license for AnyConnect Essentials. You can use it for remote access SSL VPN (client-based) just fine.
Premium licenses add the capability for clientless SSL VPN (plus a few other less common features).
An ASA has to run one type or the other even if you have both licenses - when you activate the "anyconnect-esentials" command, it disables the Premium features globally on the ASA.
11-01-2015 10:08 PM
Hi Marvin,
Currently I have cisco ASA HA Pair with default premium license. I have got the PAK code for ASA5500-SSL-250=, but I hve been advseid that part ASA5500-SSL-250= is not eh right one for upgrading from default 2 to 250 premium vpn ayconnect. I need to buy upgrade license. Is that true? if yes what would be the part number and upgrade process from 2 to 250 premium vpn anyocnnect on this HA pair.
Could you pleaes advise which license shoudl I buy for this upgrade_
show run ffrom the ha pair-
Cisco Adaptive Security Appliance Software Version 9.1(5)19
Device Manager Version 7.2(2)
Compiled on Thu 23-Oct-14 14:14 PDT by builders
System image file is "disk0:/asa915-19-smp-k8.bin"
Config file at boot was "startup-config"
ahpra-syd-au-hacasa1 up 249 days 1 hour
failover cluster up 349 days 5 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 4 perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual
This platform has an ASA5525 VPN Premium license.
thanks
11-02-2015 03:37 AM
Arman,
There is no upgrade SKU for the 2 base licenses as they are included with the base ASA image. So the PAK you have is the right one to go to 250 premium users. The part number is now end of sales but it can still be redeemed for an activation key.
I notice your ASA has Essentials licensed at the 750 users (platform limit) level. The Premium features cannot be simultaneously active with Essentials. You can use one or the other but not both as the 'AnyConnect-essentials' command disables premium-only features like clientless.
11-03-2015 08:07 PM
Hi Marvin,
Thanks a lot for your reply.
So in my ASA HA pair I've to activate the license only on the acitve ASA as I am running version 9.1(5)19. So to upgrade to premium license i have to do as follows-
1. Deactivate essential license
conf t
webvnp
no anyconnect-essentials
2. Activate premium licesnse.
conf t
activation-key xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
Also to confirm i dont need to reload to upgrade to premium anyconnect license?
could you please calrify on the above points? thanks
11-03-2015 08:22 PM
You're welcome Arman.
1. That's correct (although you had a typo at 'webvpn').
2. Yes. No reload is necessary (although it's a good idea just to ensure that all is in order prior to the possible event of some future unscheduled reload).
11-03-2015 09:25 PM
Thanks a lot marvin. will let you know how it goes with the upgrade.
10-27-2020 06:23 AM
Can you tell me the steps for enabling the feature "Anyconncet for mobile"? One of my client had recently bought the Anyconnect Essentials License. Can you help out with the steps to follow?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide