Anyconnect user limitation on ASA5506

Jernej Vodopivec · ‎03-11-2015

Hi,

I'm a little bit confused what's the maximum number of Anyconnect VPN user session on 5506.

There are two values at Maximum Cisco AnyConnect® or Clientless VPN User Sessions (AnyConnect/Apex license required): 2/50 (without and with security plus).

And the comment below the table: Requires AnyConnect Plus/Apex license. Apex license required for clientless VPN. See the AnyConnect Ordering Guide for details. Maximum users may be further limited by your throughput requirements.

http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html

I have ASA5506 with security plus and there are 4 Anyconnect premium peers included by default. I can extend it to 50 peers, no doubt about that.

But I'm wondering about ASA5506-X without security plus license: are there only 2 Anyconnect premium peers included by default?

And the second question: if I purchase anyconnect license (let's say anyconnect plus for 50 users) would I be able to connect 2 or 50 simoultaneous users?

paul-y · ‎03-12-2015

Hi Jernej,

My understanding of the license is default 2, max with purchased license is 50(with security plus license). By default, the 2 premium license will be gone once you activate either a AnyConnect Plus or Apex license. If you have security plus, it gives you a default 4 sessions instead of 2 but the same condition should apply once you have Plus or Apex installed.

I found this link and looks like it will answer all of your questions:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/intro-license.html#20490

In the new AnyConnect licensing model, you can run Plus and Apex concurrently unlike the old Essential/Premium. Ultimately, the max session is driven by the capacity of the unit so it is just a number game how you want to distribute Plus/Apex if you choose to mix them.

Hope this helps!

Jernej Vodopivec · ‎03-13-2015

Hi Paul,

thanks for this.

Regarding to this document it seems maximum 10 anyconnect clients are supported on ASA5506-X without security plus license - even if one purchases Anyconnect Plus license for 25 users or more.

Can someone from BU confirm it please, just to be sure?

kfrukacz · ‎05-21-2015

Hi Jernej,

Were you able to check the Anyconnect users limit from your question?

I also would like to know what licenses are needed to support numbers of SSL VPN users on 5506-X.

BR

Jernej Vodopivec · ‎05-21-2015

Hi, I have appliance with base and appliance with security plus license on my table. I'll make a test tomorrow and let you know.

kfrukacz · ‎05-22-2015

Great, thank you! I will be waiting.

Please include information about what AnyConnect License you have (Plus or Apex) and ASA SW version. From what I see there are differences with licensing between 9.3 and 9.4.

Jernej Vodopivec · ‎05-23-2015

Hi, I've found the following

1. ASA with security plus license and 25 APEX licenses installed

a) SW 9.3

AnyConnect Premium Peers : 25 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 50 perpetual

Total VPN Peers : 50 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

b) SW 9.4

AnyConnect Premium Peers : 25 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 50 perpetual

Total VPN Peers : 50 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

So the upper limit is 50 VPN tunnels (IPSEC+APEX).

2. ASA without security plus license

a) without APEX, SW 9.3

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 12 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

b) with APEX 25, SW 9.3

AnyConnect Premium Peers : 25 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 35 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

c) with APEX, SW 9.4

AnyConnect Premium Peers : 25 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 35 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Enabled perpetual

AnyConnect for Cisco VPN Phone : Enabled perpetual

Advanced Endpoint Assessment : Enabled perpetual

Without additional anyconnect license you have 2 premium licenses installed by default + you can establish additional 10 IPSEC tunnels.

If you install Anyconnect license additionally you still can establish 10 IPSEC tunnels + max 40 SSL VPN tunnels (I assume that based on 50 VPN tunnels limitations with security plus license).

So I would say if you use 9.3 or 9.4 version nothing changes - what information you have regarding differences with licensing between 9.3 and 9.4?