Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
10
Helpful
3
Replies

Cisco Anyconnect license sizing : 300 users , 4 ASAs (2x2 Active/Standby Setup)

Go to solution
Ahmed Ayoub ELBOURAQADI
Level 1
Level 1

‎01-15-2021 02:51 AM

Hello,

I have a question regarding the number of Anyconnect licenses required for the following scenario:

I have 4 ASA 5525-X chassis, each 2 are configured as active/standby HA setup on 2 different sites.

I'm willing to buy "Anyconnect Plus" licenses for a capacity of 300 users. 

Questions:

1) how many licenses do i need to buy ? Would 150x2 be enough ?

2) In case i bought 150 per 2xASAs (active/standby), what would happen if i lose one site ? Would the other site take over the 150 users even if there are not enough licenses ? Or, wouldn't they be enable to reconnect ?

 

Thanks.

Labels:
Preview file
66 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-15-2021 04:56 AM

The AnyConnect licensing works in a different way for some time now. You only license the amount of users using the VPN ("the beating hearts"). It is independent of the concurrent connections. If you have 10000 Users but only 20 are active at a given time, you still need 10000 AC-PLUS-licenses. This is a case where the "VPN-Only" license could be cheaper.

The big benefit is that you can activate this license on all your ASAs. as it's not the device that is licensed, but the user-base.

View solution in original post

Go to solution
Ahmed Ayoub ELBOURAQADI
Level 1
Level 1
In response to balaji.bandi

‎01-15-2021 06:41 AM - edited ‎01-15-2021 06:55 AM

Hello,

Users are connected to VPN in a round robin fashion to load-balance between the two.

So, at one given time, and if all users are connected at the same time, i should have 150 users per each site (or per each ASA).

I just asked a Cisco support engineer, and he said that i will need only 300 AnyConnect Plus for my need. 

The licenses are sharable. It means that i can install the 300 lics on both ASA. It will be like having 300 lics per ASA.

 

Here is its explanation:

*******************************************************************
[TAC] : The AnyConnect licenses are shareable. So, if you purchase let's say 300, you need 300. This 300 will be shared on all devices.
[Me] : ok but, how or where do i install these 300 ? 150 per 2 ASAs ?
[TAC] : No, all 300 on both ASAs.

[Me] : Ok. So these 300 wouldn't be attached to a specific S/N , right ?
[TAC] : They will be attached to both S/Ns. As you order the licenses, 300 AnyConnect Plus. Once the order is completed, you will receive a pdf document that contains the PAK number for the licenses. This PAK number will get fulfilled on one of the SN's
And you will receive a license key that you need to apply on the ASA. Then, the same PAK will be shared to the other SN, and that will create another license key, which you will apply on the second ASA.

******************************************************************

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-15-2021 03:20 AM 

I have 4 ASA 5525-X chassis, each 2 are configured as active/standby HA setup on 2 different sites.

is your users split in to 2 sites ? then you want to split the users 300 on both the sites ? or your peak user requirement is 300 extra ?

 

if both sites are active then you need to plan accordingly.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Ahmed Ayoub ELBOURAQADI
Level 1
Level 1
In response to balaji.bandi

‎01-15-2021 06:41 AM - edited ‎01-15-2021 06:55 AM

Hello,

Users are connected to VPN in a round robin fashion to load-balance between the two.

So, at one given time, and if all users are connected at the same time, i should have 150 users per each site (or per each ASA).

I just asked a Cisco support engineer, and he said that i will need only 300 AnyConnect Plus for my need. 

The licenses are sharable. It means that i can install the 300 lics on both ASA. It will be like having 300 lics per ASA.

 

Here is its explanation:

*******************************************************************
[TAC] : The AnyConnect licenses are shareable. So, if you purchase let's say 300, you need 300. This 300 will be shared on all devices.
[Me] : ok but, how or where do i install these 300 ? 150 per 2 ASAs ?
[TAC] : No, all 300 on both ASAs.

[Me] : Ok. So these 300 wouldn't be attached to a specific S/N , right ?
[TAC] : They will be attached to both S/Ns. As you order the licenses, 300 AnyConnect Plus. Once the order is completed, you will receive a pdf document that contains the PAK number for the licenses. This PAK number will get fulfilled on one of the SN's
And you will receive a license key that you need to apply on the ASA. Then, the same PAK will be shared to the other SN, and that will create another license key, which you will apply on the second ASA.

******************************************************************

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-15-2021 04:56 AM

The AnyConnect licensing works in a different way for some time now. You only license the amount of users using the VPN ("the beating hearts"). It is independent of the concurrent connections. If you have 10000 Users but only 20 are active at a given time, you still need 10000 AC-PLUS-licenses. This is a case where the "VPN-Only" license could be cheaper.

The big benefit is that you can activate this license on all your ASAs. as it's not the device that is licensed, but the user-base.

Customers Also Viewed These Support Documents