Solved: Change to Anyconnect essentials vpn from AnyConnect Premium on asa

Shibu1978 · ‎12-10-2014

Dear Team,

We have a pair of cisco ASA 5520 with 8.2(5) version running fine with Active/standby mode. As situation demands, we are planning to change the SSL vpn from clientless SSL VPN(AnyConnect Premium) to anyconnect vpn with mobile clients (IOS & Android)

Kindly clarify the below

1) As i read, we cannot have both Anyconnect Essentials & AnyConnect Premium on the system same time. we need to disable accordingly to our need- pl correct me?

2) Whats the best method to have the client deployment to end users device? pushing from ASA or install it individually on the system? Can i have the best i mean latest windows,MAC e.t.c client i shud go for ?

While pushing from ASA read that lot of cache memory will be used, since we have IPS(AIP-SSM) modules also installed on ASA which method shud i adopt here?

3) Whats the correct product name for Anyconnect Essentials license & mobile client(IOS & Android) that we need to get it from cisco?

4) Once i get the correct license how do i active in both the systems? should i remove the failover command and install the license in both the devices separately?

5) Finally i need to authenticate the anyconnect essentials vpn with LDAP which is already configured for clientless SSL VPN(AnyConnect Premium). any suggestions here?

Below is the Sh version output from the devices, it seems Anyconnect essential is already active ..please correct me?

Active Firewall
===============

System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is a493.4ca3.ce0a, irq 9
1: Ext: GigabitEthernet0/1 : address is a493.4ca3.ce0b, irq 9
2: Ext: GigabitEthernet0/2 : address is a493.4ca3.ce0c, irq 9
3: Ext: GigabitEthernet0/3 : address is a493.4ca3.ce0d, irq 9
4: Ext: Management0/0 : address is a493.4ca3.ce09, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has an ASA 5520 VPN Plus license.

=====================================================

Standby Firewall
================

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 6073.5cab.3fae, irq 9
1: Ext: GigabitEthernet0/1 : address is 6073.5cab.3faf, irq 9
2: Ext: GigabitEthernet0/2 : address is 6073.5cab.3fb0, irq 9
3: Ext: GigabitEthernet0/3 : address is 6073.5cab.3fb1, irq 9
4: Ext: Management0/0 : address is 6073.5cab.3fb2, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has an ASA 5520 VPN Plus license.

Thanks

Marvin Rhoads · ‎12-10-2014

1. Correct. You can run one or the other but not both.

2. Since you have the 2 GB memory upgrade, you should be fine doing web deployment via the pkg file method.

3. For a 5520 you would need:

L-ASA-AC-E-5520=
L-ASA-AC-M-5520

...for the Essentials and Mobile licenses respectively.

4. On ASA 8.2 you need the licenses on both units. If you upgrade to 8.3+ (8.4(7) would be recommended at a minimum), you can share the licenses between members of an HA pair. If you choose not to upgrade, simply apply the activation-key on the standby unit and then on the active unit. You don't need to move them out of and into failover configuration. The failover status of the standby unit will show it as ineligible briefly while it has the new license while the active unit does not. That will be remedied after applying the same license on the primary unit. (If you were on 8.3+ this would not happen at all.)

5. Just build a new connection profile for the Essentials clients using the same AAA server group.

View solution in original post

Marvin Rhoads · ‎12-11-2014

Yes, your ASA pair appears to already have the AnyConnect Essentials license. You do not have the Mobile license so iOS and Android clients would not be able to access your remote access VPN.

Remote access and IPsec site-site VPNs can coexist fine on ASA 8.2(5). You are subject to the platform hardware limit for IPsec VPN peers (750 on a 5520) but otherwise there's no fundamental incompatibility or restriction.

View solution in original post

Marvin Rhoads · ‎12-10-2014

1. Correct. You can run one or the other but not both.

2. Since you have the 2 GB memory upgrade, you should be fine doing web deployment via the pkg file method.

3. For a 5520 you would need:

L-ASA-AC-E-5520=
L-ASA-AC-M-5520

...for the Essentials and Mobile licenses respectively.

4. On ASA 8.2 you need the licenses on both units. If you upgrade to 8.3+ (8.4(7) would be recommended at a minimum), you can share the licenses between members of an HA pair. If you choose not to upgrade, simply apply the activation-key on the standby unit and then on the active unit. You don't need to move them out of and into failover configuration. The failover status of the standby unit will show it as ineligible briefly while it has the new license while the active unit does not. That will be remedied after applying the same license on the primary unit. (If you were on 8.3+ this would not happen at all.)

5. Just build a new connection profile for the Essentials clients using the same AAA server group.

Shibu1978 · ‎12-10-2014

Thanks Marvin. really appreciated

Below is the configuration extract of "Sh version" from both the devices. I think anyconnect essentials are already been activated in the system. It seems i need to only enable by anyconnect essentials under webvpn. please have a check pl.

Active Firewall
===============

System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is a493.4ca3.ce0a, irq 9
1: Ext: GigabitEthernet0/1 : address is a493.4ca3.ce0b, irq 9
2: Ext: GigabitEthernet0/2 : address is a493.4ca3.ce0c, irq 9
3: Ext: GigabitEthernet0/3 : address is a493.4ca3.ce0d, irq 9
4: Ext: Management0/0 : address is a493.4ca3.ce09, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has an ASA 5520 VPN Plus license.

=====================================================

Standby Firewall
================

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 6073.5cab.3fae, irq 9
1: Ext: GigabitEthernet0/1 : address is 6073.5cab.3faf, irq 9
2: Ext: GigabitEthernet0/2 : address is 6073.5cab.3fb0, irq 9
3: Ext: GigabitEthernet0/3 : address is 6073.5cab.3fb1, irq 9
4: Ext: Management0/0 : address is 6073.5cab.3fb2, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has an ASA 5520 VPN Plus license.

Shibu1978 · ‎12-10-2014

Kindly also advise, about my version 8.2(5) is there any issue in co-exists both anyconnect & IPSec remote access vpns? will there be any issues? i have already got many IPSEC lan to lan & remote access vpns.

Marvin Rhoads · ‎12-11-2014

Yes, your ASA pair appears to already have the AnyConnect Essentials license. You do not have the Mobile license so iOS and Android clients would not be able to access your remote access VPN.

Remote access and IPsec site-site VPNs can coexist fine on ASA 8.2(5). You are subject to the platform hardware limit for IPsec VPN peers (750 on a 5520) but otherwise there's no fundamental incompatibility or restriction.

Shibu1978 · ‎12-11-2014

Thanks a lot Marvin :)