cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1440
Views
0
Helpful
4
Replies

ANYCONNECT VPN license

Deepthi
Level 1
Level 1

Dear Team,

 

We have two Cisco ASAs connected in ACTIVE-STANDBY setup. I wanted to configure ANYCONNECT VPN and purchased an ANYCONNECT license from Cisco through our partner company. 

 

When i tried registering the license and sharing it with the other ASA on the Cisco website, i wasn't able to do it.

 

I logged a ticket with Cisco licensing team and they told me that i need to purchase a PLUS or APEX license.

 

So, I request your suggestions with this case... as every other person is giving me different answers.

 

this is the license i have currently.

 

L-AC-VPNO-25=

Cisco AnyConnect VPN Only, 25 Simultaneous (eDelivery)

 

Thank you.

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The Cisco Licensing team is correct.

When you purchase the VPN Only license that you mentioned, it is per unique device. Plus or Apex licenses are per unique user and may be shared across appliances.

This limitation is confirmed in the AnyConnect licensing FAQ here:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc6

View solution in original post

Yes, Anyconnect VPN will continue to work for a while when/if the Primary-Active unit where the VPN Only license was installed becomes Standby for whatever reason. The Secondary unit will not be directly licensed per se but as long as it can communicate with the licensed member of the HA pair it will continue to work.

If the Primary-Standby licensed member has failed altogether and cannot communicate with the Secondary-Active, the secondary unit will stop providing AnyConnect VPN after 30 days.

If you have RMA'd the primary unit with Cisco, they will re-issue a VPN only license for use with the replacement hardware.

See also

https://community.cisco.com/t5/firewalls/anyconnect-license-in-ha-pair-confusion/td-p/3010642

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

The Cisco Licensing team is correct.

When you purchase the VPN Only license that you mentioned, it is per unique device. Plus or Apex licenses are per unique user and may be shared across appliances.

This limitation is confirmed in the AnyConnect licensing FAQ here:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc6

Hi Marvin,

 

Thank you very much for your response. I read through the document and as it says that if I have a Acitve/Standby ASA setup, I can just the single license I Have into the Active ASA and the VPN works even during a failover situation? 

 

Please do let me know.. and thanks in advance.. 

Yes, Anyconnect VPN will continue to work for a while when/if the Primary-Active unit where the VPN Only license was installed becomes Standby for whatever reason. The Secondary unit will not be directly licensed per se but as long as it can communicate with the licensed member of the HA pair it will continue to work.

If the Primary-Standby licensed member has failed altogether and cannot communicate with the Secondary-Active, the secondary unit will stop providing AnyConnect VPN after 30 days.

If you have RMA'd the primary unit with Cisco, they will re-issue a VPN only license for use with the replacement hardware.

See also

https://community.cisco.com/t5/firewalls/anyconnect-license-in-ha-pair-confusion/td-p/3010642

Thank you very much for your response. Appreciate it.