cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
254
Views
9
Helpful
5
Replies
scott.bridges
Beginner

ASA 5505 Licensing / Encryption clarification

Hello,

I have an ASA 5505 with Security Plus licensing.  The specific entry I'm focusing on when I do a "show version" is:

AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials                  : 25             perpetual

For my IKEV2 IPSEC, I have:

crypto ikev2 policy 1
 encryption aes-256
 integrity sha512
 group 21
 prf sha512
 lifetime seconds 10000

When bringing up a L2L VPN, I am able to establish IKEV2/IPSEC with DH Group 21 with no issue.
But when I try to connect a remote client with Cisco Anyconnect, I get the following message:

An IKEv2 remote access connection failed. Attempting to use an NSA Suite B crypto algorithm (ECDH group) without an AnyConnect Premium license.

Upon research, I see that DH Groups 19+ are considered Next Gen NSA algorithms.  I assume that I do not have the correct licensing to support this with AnyConnect clients, so I edited my ikev2 policy to read:

crypto ikev2 policy 1
 group 14 21

My issue is that I still receive the same error.  Shouldn't the AnyConnect down-negotiate to Group 14?  And shouldn't the L2L negotiate at highest possible, Group 21?

 

Any advice is appreciated.

 

1 ACCEPTED SOLUTION

Accepted Solutions

When you have licenses for both AnyConnect Essentials and Premium on as ASA you need to choose one or the other type for all AnyConnect clients.

We typically see this where a customer started out with the Essentials license and then later added Premium. When you do that, you need to configure "no anyconnect-essentials" in order to use the features that require the Premium license level.

All the Essentials clients should continue to work in your case since the number of licensed users is equal on both license types. On the larger appliances, the Premium licenses may be less than the number of Essentials licenses since the former is sold by number of users (and can get quite costly on the larger devices since they can potentially support 1000s of users) and the latter is one relatively low cost license that covers the entire device according to its hardware capability.

On the 5505 the maximum capacity is 25 and you have that same number already licensed for Premium. (The available Premium license SKUs for that platform are 10 and 25.)

View solution in original post

5 REPLIES 5
Marvin Rhoads
Hall of Fame Guru

Do you by any chance have the line "anyconnect-essentials" in your configuration?

That would force the use of the Essentials license even though you have an available Premium license.

Generally speaking, a LAN-LAN IPsec VPN should negotiate to the first group the peers have in common in their respective configurations.

A Remote access IPsec VPN should negotiate to the level specified by the server (the ASA).

Sir,

I do indeed have "anyconnect-essentials" under "webvpn".

Should I negate this line?  I see that it says:

anyconnect-essentials    Enable/Disable AnyConnect Essentials

 

If I "no anyconnect-essentials", will that force the ASA to revert to my Premium license?  Or will I lose the ability to use AnyConnect clients?

Thank you

When you have licenses for both AnyConnect Essentials and Premium on as ASA you need to choose one or the other type for all AnyConnect clients.

We typically see this where a customer started out with the Essentials license and then later added Premium. When you do that, you need to configure "no anyconnect-essentials" in order to use the features that require the Premium license level.

All the Essentials clients should continue to work in your case since the number of licensed users is equal on both license types. On the larger appliances, the Premium licenses may be less than the number of Essentials licenses since the former is sold by number of users (and can get quite costly on the larger devices since they can potentially support 1000s of users) and the latter is one relatively low cost license that covers the entire device according to its hardware capability.

On the 5505 the maximum capacity is 25 and you have that same number already licensed for Premium. (The available Premium license SKUs for that platform are 10 and 25.)

View solution in original post

Sir,

Your expertise in the world of ASA is uncanny.

You were spot on.

I removed the "anyconnect-essentials" and changed my ikev2 back to "group 21" and now both my L2L and my AnyConnect are properly negotiating at Group 21:

 Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:21, Auth sign: RSA, Auth verify: EAP

Thank you again!

Thanks for the feedback - I appreciate it.

Many engineers, even quite competent ones, don't deal with their firewalls day to day and often find the vast array of features and how they've changed over the years daunting. 

I work on or around ASAs, AnyConnect, FirePOWER, ISE etc. all the time and I'm fortunate in that I both enjoy doing it and it's my full time job - I do pre- and post-sales engineering for a Cisco partner and specialize in security. So I get to see how it's sold/packaged as well as the ins and outs of hands-on implementation, troubleshooting and support.

I'm happy to hear it's working for you now.

Content for Community-Ad