09-22-2015 09:12 AM - edited 02-21-2020 08:28 PM
We recently had an AnyConnect Premium license expire somehow... The first replacement license I received was for AnyConnect Essentials. I requested another license- specifically an AnyConnect Premium this time. Is that what this is? It doesn't explicitly say "Premium" (I am obtaining these licenses through a corporate support group and am not dealing with Cisco directly on this):
Platform: ASA-5540
Platform License: N/A
Desired Host Limit: N/A
Enable VPN-3DES-AES: Yes
Enable GTP / GPRS: Yes
Enable Advanced Endpoint Assessment: Yes
Enable AnyConnect Mobile: Yes
Enable AnyConnect Essentials: No
Enable Botnet Traffic Filter: No
SSL VPN License Seats: 2500
Security Contexts: 50
UC Proxy Limit: 100
Multi-Site Support: No
Multi-Site Server: N/A
Desired Multi-site SSL VPN License: N/A
Cisco VPN Phone: Yes
Intercompany Media Engine: No
Enable Cluster: Yes
IPS Module: No
Time-based License Length (weeks): Permanent
Thank you in advance
09-24-2015 12:44 AM
what does the "sh license" command tell you?
it should say there what you have and how many anyconnect connections you can have.
09-24-2015 03:29 PM
Apparently no "show license" for ASA 9.1(6)6:
ASA# show li?
ERROR: % Unrecognized command
There is a "show shared license" without any output:
ASA# show shared license
ASA#
The "show activation-key" after I loaded the key doesn't look too good to me:
This platform has an ASA 5540 VPN Premium license.
The flash permanent activation key is DIFFERENT from the running permanent key.
Flash Activation Key: 0x1a1ac554 0x8843feb4 0xd5236d6c 0xfbc0dc80 0x4623cda4
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 0 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Disabled perpetual
Encryption-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 0 perpetual
AnyConnect Essentials : 2500 perpetual
Other VPN Peers : 0 perpetual
Total VPN Peers : 5000 perpetual
09-24-2015 07:00 PM
That "show activation-key" output definitely indicates you do NOT have AnyConnect Premium.
By the way any new licenses going forward will be either AnyConnect Plus or Apex as far as purchasing goes.
The old Essentials and Premium packaging is no longer sold, even though it continues (for now) to be shown as such in the "show" outputs.
09-25-2015 04:57 AM
We use a lot of the new APEX licenses. They are five year then you have to renew. When you install an APEX license there is nothing in the configuration to show an "APEX" license.
Your "AnyConnect Premium Peers" will go up to max no matter how many APEX user licenses you installed. Example is I installed an APEX 25 user license for a customer on an ASA5525. Premium Peers went from 2 to 750. It is my understanding that for number of users on APEX it is on the honor system for now. My installations bear this out.
09-25-2015 05:13 AM
Douglas,
Apex (and Plus) licenses come in 1-, 3- and 5-year term subscription options. There is also a perpetual license offering for AnyConnect Plus.
You're correct that there's currently no technical enforcement of the license count. This will likely change at some point in the future.
09-25-2015 05:19 AM
Thanks. We have been buying only the five year licenses. I will have to call out my Cisco rep. Thanks very much for the information. I use ASA's a lot, but mostly as VPN (IPSEC only) Devices and rarely as a firewall. A very laser like focus. Big AnyConnect user and also strongSwan.
02-24-2017 10:38 PM
We have purchased APEX25 user license but it seems it didn't take effect after applying the license key. it now shows AnyConnect Premium Peers : 750 but it only allows up to 4 concurrent anyconnect connections.
Are there some workaround on this?
02-25-2017 06:33 AM
Can you check to make sure you haven't enabled "anyconnect-essentials"?
('show run | i anyconnect')
02-25-2017 06:33 AM
To turn off:
webvpn
no anyconnect-essentials
And thanks Mr Rhoads for your input. Although the question didn't arrive from me, you taught me that APEX can come in shorter period licenses 1,3,5. We were getting the five year ones just because we thought that's all there was.
03-15-2017 01:36 AM
Hi Marvin,
Here's the show run output from our firewall
# show run | i anyconnect
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 4
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
anyconnect profiles RA_VPN_PROF disk0:/ra_vpn_prof.xml
anyconnect enable
anyconnect profiles value RA_VPN_PROF type user
03-15-2017 01:47 AM
The command that's limiting you is:
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 4
This command is mainly used in the old VPN clustering solution where we would spread VPN users across a set of firewalls and wanted to limit the number on a given firewall.
To get the full use of your licensed limit, you should enter:
no vpn-sessiondb max-anyconnect-premium-or-essentials-limit
04-17-2017 05:16 AM
Hi Marvin, Sorry for the late reply. VPN max concurrent session is working now. Thanks. :) BTW. I have another FW issue but I'll post it in another thread.
04-17-2017 05:28 AM
You're welcome. Please rate any helpful reply.
04-17-2017 05:30 AM
Done. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide