Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9208
Views
25
Helpful
6
Replies

Multi-Context Vs Anyconnect

Go to solution
pratheesh.venu
Level 1
Level 1

‎05-02-2014 01:35 PM - edited ‎02-21-2020 07:37 PM

I understand from version 9.2 onwards ASA supports IPSec and Dynamic routing protocol in Multi- context implementation.

Will I be able virtualize Remote Access Solution by creating Multiple Context and and Create AnyConnect RA VPN solution? I am trying to use same ASA for two different customer RA VPN solution.

Also please let me know if there is any model specific statistic available to see how many concurrent Anyconnect sessions are allowed per device model. I am trying to get some input to see the appropriate model to support 10, 000 RAVPN users.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michal Gurbski
Level 1
Level 1
In response to Marvin Rhoads

‎02-10-2016 08:12 AM

Hi,

in Release for the Cisco ASA Series, 9.5(x) we have information:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

First Published: August 12, 2015
Last Updated: January 28, 2016

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
  • Centralized AnyConnect image configuration
  • AnyConnect image upgrade
  • Context Resource Management for AnyConnect connections

Note: The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

Notice: AnyConnect Apex license is required for multiple context mode

Kind regards,

Michal

P.S.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/feature/guide/anyconnect40features.html

Q. How do I receive a trial AnyConnect Apex license for my ASA?

A. Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation license, please visit: https://www.cisco.com/go/license. Select the following: Get Other Licenses -> Demo and Evaluation -> Security Products -> AnyConnect Plus/Apex (ASA) Demo License.  Please note that the license unlocks the ASA functions, but does not grant access to the AnyConnect Windows/Mac OS X/Linux software. Mobile versions of AnyConnect can be accesed via the Application store for the specific OS and can be trialed in conjunction with an evaluation license.

After that, you can Configure a Class for Resource Management

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-000009a8

in system context:

class gold
 limit-resource vPN anyConnect 5

 exit

context CONTEXT-A

 member gold

and check in CONTEXT-A:

View solution in original post

6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-02-2014 03:47 PM

As of 9.2(1) there is still not support for remote access VPN in multi-context mode. (ASA 9.0(1) introduced support for IPsec site-to-site VPN in multi-context mode.)

Please refer to the ASA release notes page for details on new features by release.

As far as RA VPN clients, the 5555-X is rated at 5,000 concurrent AnyConnect VPN peers. The 5585-X with (SSP-20 or higher) maxes out at 10,000 concurrent AnyConnect VPN peers (source).

Rather than buy one big box though, a more scalable solution would be to build a VPN cluster. That allows you to grow more linearly (up to 100,000 users with a large cluster) and gives better resiliency.

0 Helpful

Go to solution
Michal Gurbski
Level 1
Level 1
In response to Marvin Rhoads

‎02-10-2016 08:12 AM

Hi,

in Release for the Cisco ASA Series, 9.5(x) we have information:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

First Published: August 12, 2015
Last Updated: January 28, 2016

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
  • Centralized AnyConnect image configuration
  • AnyConnect image upgrade
  • Context Resource Management for AnyConnect connections

Note: The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

Notice: AnyConnect Apex license is required for multiple context mode

Kind regards,

Michal

P.S.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/feature/guide/anyconnect40features.html

Q. How do I receive a trial AnyConnect Apex license for my ASA?

A. Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation license, please visit: https://www.cisco.com/go/license. Select the following: Get Other Licenses -> Demo and Evaluation -> Security Products -> AnyConnect Plus/Apex (ASA) Demo License.  Please note that the license unlocks the ASA functions, but does not grant access to the AnyConnect Windows/Mac OS X/Linux software. Mobile versions of AnyConnect can be accesed via the Application store for the specific OS and can be trialed in conjunction with an evaluation license.

After that, you can Configure a Class for Resource Management

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-000009a8

in system context:

class gold
 limit-resource vPN anyConnect 5

 exit

context CONTEXT-A

 member gold

and check in CONTEXT-A:

Go to solution
alap84
Level 1
Level 1
In response to Michal Gurbski

‎03-06-2016 01:02 AM

Hello

Nice article for doubts and clarifications

small doubt is after enabling Anyconnect APEX license only SSL is supported or IKEv2 will also support

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to alap84

‎03-06-2016 03:51 AM

Hi Muhammad,

Both SSL and IKEv2 would be supported.

Regards,

Aditya

Please rate helpful posts.

Go to solution
alap84
Level 1
Level 1
In response to Aditya Ganjoo

‎03-06-2016 04:31 AM

Thanks for your support

so its clear only after enabling it will work

could you please tell me the part number for ordering purpose

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to alap84

‎03-06-2016 06:44 AM

Muhammad,

There are two part numbers required for an AnyConnect Apex order - the term license and associated term subscription.

Term License: L-AC-APX-xYR-G

Term Subscription: AC-APX-xYR-zzzz-S

(x = 5, 3, 1) year term

(zzzz = 25, 50, 100, 250, 500, 1K, 1500, 2500, 3500, 5K, 10K, 25K, 50K, 100K, 250K) unique users

Customers Also Viewed These Support Documents