Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12583
Views
15
Helpful
8
Replies

Default licenses on Cisco ASA

gsidhu
Level 3
Level 3

‎05-18-2017 07:44 AM

Hi

Customer purchased two Cisco ASA 5585-X with the default licenses:

ASA5500-ENCR-K9 ASA 5500 Strong Encryption Lic

ASA5585-SEC-PL ASA 5585-X Security Plus Licen

 

Please could someone provide me with the answers to the following questions:

 

  1. Each ASA by default will have two perpetual 'AnyConnect Premium Peers' licenses. My understanding is that these licenses can be used for Clientless SSL or Ikev2 sessions remote VPN access. Is this correct?  
  2. The ASA's will be configured for Active/Standby. Since the default licenses are perpetual you can only have a maximum of 2 concurrent remote access VPN connections. Is this correct? 
  3. If the default licenses were AnyConnect Apex licenses then will the maximum number of concurrent remote access VPN connections increase to 4 
  4. If the answer to question 3) is 4 is this because of the feature called 'Shared Premium VPN Licensing and is this feature only available for AnyConnect Apex licenses

Thanks

Following is output from one of the ASA's:

 

Licensed features for this platform:

Maximum Physical Interfaces       : Unlimited      perpetual

Maximum VLANs                     : 1024           perpetual

Inside Hosts                     : Unlimited      perpetual

Failover                         : Active/Active  perpetual

Encryption-DES                   : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

Security Contexts                 : 10             perpetual

GTP/GPRS                         : Disabled       perpetual

AnyConnect Premium Peers         : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 5000           perpetual

Total VPN Peers                   : 5000           perpetual

Shared License                   : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone   : Disabled       perpetual

Advanced Endpoint Assessment     : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

10GE I/O                         : Enabled        perpetual

Cluster                           : Disabled       perpetual

 

This platform has an ASA5585-SSP-10 VPN Premium license.

Labels:
0 Helpful
8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-18-2017 08:21 AM

1. Yes - and AnyConnect client-based SSL VPN as well.

2. Actually the Active and Standby unit licenses combine for a total of 4 each. 

3. AnyConnect Apex licenses are the current packaging of what used to be known (more or less) as Anyconnect Premium (plus AnyConnect for Mobile and Advanced Endpoint Assessment).

4. Shared VPN Premium licensing is an obsolete license type that allows you to create a pool of licenses distributed among several ASAs (not necessarily in any HA failover pairs). The 4.x licensing model is different in that you are licensed for unique uesrs and can redeem your purchased licenses on multiple ASAs - even if they are in completely separate locations with no connection to one another.

I recommend the AnyConnect Licensing FAQ if you have further quesitons:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html

0 Helpful

gsidhu
Level 3
Level 3
In response to Marvin Rhoads

‎05-18-2017 12:21 PM

Hi Marvin

So basically what you are saying is that since both ASA Firewalls have the default licence feature 'AnyConnect Premium Peers (quantity 2) perpetual' installed; the maximum number of concurrent AnyConnect VPN connections that can be established in any given time is 4. This is regardless of whether the ASA Firewalls are configured for Active/Standby redundancy or standalone

Do you have any reference to support this as this was not clear to me in the link that you sent me?

G

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to gsidhu

‎05-18-2017 04:59 PM

I do not have an official Cisco document that says it,  but I can surely tell you from experience that it is true that if two ASAs are configured for redundancy Active/Standby then they will support 4 concurrent AnyConnect sessions. If they are configured to operate standalone then each one will support 2 concurrent sessions.

HTH

Rick

HTH

Rick

gsidhu
Level 3
Level 3
In response to Richard Burts

‎05-19-2017 09:46 AM

Marvin, Richard

My thanks to both of you for taking the time to help me. As a token of my appreciation I have given you both 5 points.

G

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gsidhu

‎05-18-2017 08:38 PM

How licenses behave in an HA pair is covered here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-failover.html#ID-2107-00000379

If you have licenses on both units, they combine into a single running failover cluster license.

As Rick correctly noted, separate standalone firewalls do not combine their licenses.

SS2020
Level 1
Level 1
In response to Marvin Rhoads

‎02-05-2024 01:42 AM

Hello Marvin, 

i have two asa configured as HA please see below 

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5525 VPN Premium license.

 

 currently we have 750 RAS AnyConnect licenses and i am upgrading the asa hardware to asa 21k model and my plan is to just cop the running config and past it to the new asa firewall, will it work? how can i transfer the RAS certificate and can remove those licenses to a new hardware? if yes how can i do it please? this firewall will only serve RAS. any help and advice appreciated.  Regards Star 

0 Helpful

Rob Ingram
VIP
VIP
In response to SS2020

‎02-05-2024 01:50 AM

@SS2020 you can mostly copy and paste the configuration. Depending on the current ASA version and the new ASA version on the 2K model some crypto commands have been depreciated, such as older weak ciphers.

To export/import the certificate refer to this guide.

0 Helpful

SS2020
Level 1
Level 1
In response to Rob Ingram

‎02-05-2024 01:57 AM

Hello Rob,

the existing asa version is Version 9.12(4)54 and the new asa will be cisco-asa-fp2k.9.12.4.54.SPA.

can i remove the RAS AnyConnect licenses or not please?

0 Helpful
Customers Also Viewed These Support Documents