Dear Marvin,

Thanks for you reply! 

But I found a below question from Anyconnect License Q&A:

Q. Why does a part expand 99999 times when I buy an AnyConnect Plus perpetual or non-banding AnyConnect Plus or Apex license?

A. This is normal. These parts expand to allow you to register your AnyConnect Plus or Apex license to all of your ASA serial numbers. This expansion SKU is not applicable to the newer banding-based Plus (L-AC-PLS-LIC=) or Apex (L-AC-APX-LIC=) SKUs or the VPN Only SKUs (L-AC-VPNO-xxxx=).  See the AnyConnect Ordering guide for details on license registration per SKU type.

Link:https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc29

It seems the new SKU would not be used on multiple appliances, do i understand correctly ?

Thanks!

The current SKUs for AnyConnect Plus and Apex (L-AC-PLS-LIC= and L-AC-APX-LIC=) can be used to install the licenses on multiple appliances. 

I Also found a explanation from anyconnect order guide, The SKU you mentioned can share with multiple appliances.

Thnaks for your reply.

Hi Marvin,

is that mean, we can apply same amount of licenses to all FTD's.

In my case, i have purchased Cisco Anyconnect Plus license with Qty as 5000 and i have 4 FTD's in my network environment.So can i apply all these licenses to each devices or i have to distribute among these?

You can install your AnyConnect 4.x license subscriptions on as many ASAs and FTD appliances as you have in your organization.

You are licensed by the number of unique users that use the product, not by the number of appliances they VPN into.

So your 5000 license subscription can be installed on each of your FTD appliances.

@Mohammed al Baqari,

The classic VPN license for Firepower is for the old style classic appliances (3D7000, 3D8000 series etc.) that had a separate VPN license type for site-to-site VPN. It was very rarely used in my experience.

The remote access VPN on FTD uses AnyConnect Smart licenses exclusively. If the customer has AnyConnect PAKs (i.e. purchased for use with their ASAs), they would need to get them converted/added to the Smart account.

I would like to ask you question. I have 2 FTD 2130 Devices which are in HA. In my smart license portal i see that i have 100 Anyconnect Apex Licenses and 2 of them are being used. At the same time in my fmc->license->smart license page I see 2 Anyconnect Apex licenses are used by HA pair. This means this licenses are used by device not by User. Moreover, when i connected with anyconnect vpn to this FTD pair, I checked usage and it had not been incremented. Why?

The count of in-use AnyConnect licenses is not enforced by technical means.

For instance, if you install the PAK-based type on an ASA, for example, you will see the number (from "show activation-key") increment to the maximum supported by the hardware.

In the case of Smart licences (as are used by FTD and ASAv), you are correct in observing that the portal only shows the count of devices using licenses - not the actual count of end users.

This is all an artifact arising from Cisco's licensing scheme and systems being out ahead of the telemetry and metering (not) built into the software.

You are still bound by the terms of the right-to-use agreement associated with the purchased licenses. Those terms include the number of allowed unique end users.

Hi guys, 

I was wondering if I'm able to use at least one anyconnect connection only for finishing a deployment we're implementing without having no one anyconnect licenses. Our deployment is based on FTD 2120 devices.  Thank you in advance.  

If you are using evaluation licensing on your new system you can run it temporarily using that.

If you've registered to your Smart Account and are using Smart Licenses then you need to have AnyConnect licenses available to assign in your Smart Account. Remember that AnyConnect 4.x license are per-user and not per-device so you can use the same license pool for multiple devices.

Hi Marvin,

Thank you so much for your answer.  I will configure an anyconnect vpn profile based on IPSEC because I see that SSL anyconnect cannot be configured with my actual evaluation license. 

Thanks again.