cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8205
Views
10
Helpful
16
Replies

ASA Licensing

Cisco Freak
Level 4
Level 4

Hi All,

We bought a new ASA 5515x device. I am confused with the license available on the device.

How many users can connect with Anyconnect VPN client to the device?

Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA 5515 Security Plus license.

CF

1 Accepted Solution

Accepted Solutions

Philip the AnyConnect 4.x licenses are NOT limited to a single ASA (or HA pair). This is a change from 3.x and earlier versions.

You can redeem the PAKs for as many ASAs as are used for remote access VPN within a given customer.

As long as you don't exceed the number of licensed users you are within the terms of the license. The number of users is not currently enforced technically - it's up to the customer, as advised by their reseller, to purchase the correct licensing level.

View solution in original post

16 Replies 16

Philip D'Ath
VIP Alumni
VIP Alumni

With your current licence - two users.

Hi Philip,

What is 'Other VPN peers' and 'Total VPN peers'

Can more than 2 user connect from web vpn?

CF?

"Other VPN Peers" is site to site VPNs.

2 users can connect using either AnyConnect or the clientless web interface.  Either way, a combined two people at once.

If you are planning on using the VPN for users you really need to buy the AnyConnect VPN licences.

I got it.

If I buy a 25 user anyconnect plus license, can I install it in 2 ASAs but still limited to 25 user count together.

If you buy a single 25 user licence you can only install it on a single ASA.

If you have a failover ASA pair, you can install the licence on one of them, and then whichever is the active firewall gets the 25 licences.

Philip the AnyConnect 4.x licenses are NOT limited to a single ASA (or HA pair). This is a change from 3.x and earlier versions.

You can redeem the PAKs for as many ASAs as are used for remote access VPN within a given customer.

As long as you don't exceed the number of licensed users you are within the terms of the license. The number of users is not currently enforced technically - it's up to the customer, as advised by their reseller, to purchase the correct licensing level.

Now that is a big change.

So lets say I buy a 250 user licence and I have 5 x ASA's.  Do I redeem the same PAK against each of them saying I just want 50 users each?

I've never had the system allow a single PAK code to be used more than once.

Philip,

Actually when you redeem the 4.x PAKs they will show the ASA as licensed for the maximum number of users the platform supports. It's up to the end user to manage the licensing level at this time.

You do redeem the same PAK code against all of your ASAs. Each is entitled to the number of unique users (unique in the aggregate) that you are licensed for.

Note the second sentence in this excerpt from the AC Ordering Guide:

You cannot associate more than one Adaptive Security Appliance serial number with your PAK on a single license registration page. The same product activation key (PAK) can be applied to multiple appliances by repeating this process.

Here's a screenshot of the license portal showing one AnyConnect Apex PAK redeemed on two ASAs:

I learned something new today.  Thank you!

So this mean, if I buy a 100 user license, I can redeem 50 for one ASA and save the remaining 50 for future purpose.

But this will also need all user should install Anyconnect version 4 in their laptops.

Am I right?

FYI, I just tried this today.

I redeemed a L-AC-PLS-S-3Y-100 for a customer.  The licencing portal said it was issuing a licence for 99998 users.  The licencing email that turns up is for 500 users.  This was going onto a 5516, and when installed it says:

The Running Activation Key feature: 500 AnyConnect Premium sessions exceed the limit on the platform, reduced to 300 AnyConnect Premium sessions.

And subsequently the firewall ends up with 300 AnyConnect Premium licences.

PLEASE DO NOT DISCARD THIS EMAIL.

You have received this email because your email address was provided to Cisco Systems during the registration process for a Cisco ASA 5500 Series Adaptive Security Appliance activation key.  Please read this email carefully and forward it with any attachments to the proper system administrator if you are not the correct person.

Below, you will find the Activation Key for your Cisco Adaptive Security Appliance.  

Serial #:  xxx
Product Authorization Key   : xxx

Failover                                 : Enabled   
Encryption-DES                           : Enabled   
Encryption-3DES-AES                      : Enabled   
Security Contexts                        : Default   
GTP/GPRS                                 : Disabled  
AnyConnect Premium Peers                 : 500       
Other VPN Peers                          : Default   
Advanced Endpoint Assessment             : Enabled   
AnyConnect for Mobile                    : Enabled   

[@p.dath]  

Yes, it is not intuitive at best.  I plan to challenge the BU on this behavior at the upcoming SEVT next week. It's challenging for me to explain and I work with these almost every day.

[@ccie@2015]  

If you buy a 100 user license then that means you are licensed for 100 unique users no matter how many ASAs you have or install the license on.

The licensing on the ASA does not force you to use AnyConnect 4.x on the end users - the image (pkg file) that you upload and define in your profile does that. That said, AC 4.x is certainly recommended as Cisco is no longer developing AC 3.x going forward.

Marvin,

 

I need clarification.

I have ASA 5525 with 250 AnyConnect Premium Peers which i got with a Premium license. And i extended that with 500 more up to 750. Now I want to extend more with 500 more up to 1250.  

Can i do that?

@startx001: No.

The ASA 5525-X platform is limited to 750 SSL VPN peers. Reference the data sheet:

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-701808.html

You would have to move up to the Firepower 2100 series to support more concurrent SSL VPN sessions:

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: