Solved: Multiple context AnyConnect problem - no AnyConnect Apex license available

jni · ‎12-18-2017

Hello

I could need some help in regards to AnyConnet running on a Multiple context ASA 5585-SSP10.

I think I have most of the configuration in place, but still I continously receive an error in regards to Apex licensing.

Group <anyconnect> User <someuser> IP <x.x.x.x> Session terminated, no AnyConnect Apex license available

I have the following configuration.

SYSTEM CONTEXT:

class anyconnect
  limit-resource VPN AnyConnect 75
!
context admin
  member anyconnect
  storage-url shared disk0:/anyconnect shared
!
context somecontext
  member anyconnect
  allocate-interface TenGigabitEthernet0/9.220
  storage-url shared disk0:/anyconnect shared
  config-url disk0:/somecontext.cfg
  join-failover-group 2

ADMIN CONTEXT
(I am actually not sure if this is needed anymore https://supportforums.cisco.com/t5/vpn/asa-9-6-2-anyconnect-in-multiple-context-mode/td-p/2970335):

webvpn
 anyconnect image shared:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 1
 anyconnect image shared:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 2
 anyconnect image shared:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 3
 anyconnect enable

SOMECONTEXT CONTEXT

webvpn
 enable internet
 anyconnect image shared:/anyconnect-macos-4.5.03040-webdeploy-k9.pkg 1
 anyconnect image shared:/anyconnect-linux64-4.5.03040-webdeploy-k9.pkg 2
 anyconnect image shared:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 3
 anyconnect profiles tech shared:/tech.xml
 anyconnect enable
 tunnel-group-list enable

A show ver in SOMECONTEXT

Cisco Adaptive Security Appliance Software Version 9.6(3)1 <context>

Licensed features for this user context:
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 75             perpetual
Other VPN Peers                   : 0              perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Botnet Traffic Filter             : Disabled       perpetual
10GE I/O                          : Enabled        perpetual
Cluster                           : Disabled       perpetual


Failover cluster licensed features for this user context:
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 75             perpetual
Other VPN Peers                   : 0              perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Botnet Traffic Filter             : Disabled       perpetual
10GE I/O                          : Enabled        perpetual
Cluster                           : Disabled       perpetual

Anyone have any idea as to what is wrong? Help would be greatly appreciated.

Bogdan Nita · ‎12-18-2017

I do not see anything wrong with the config or with the show outputs.

The only theory I have is you have a failover, you did not install the license on the secondary and context you are trying to connect to via anyconnect is on the secondary.

CSCvd87479

View solution in original post

Bogdan Nita · ‎12-18-2017

I do not see anything wrong with the config or with the show outputs.

The only theory I have is you have a failover, you did not install the license on the secondary and context you are trying to connect to via anyconnect is on the secondary.

CSCvd87479

jni · ‎12-19-2017

Hello

Thank you for your reply. I did actually find the same bug this evening and you are correct. The problem was due to failover setup and no license on secondary firewall (where context was running).

Manwë Sulimo · ‎08-09-2019

Hi everyone.

first of all i dont know im in the right place to ask or not, but i have exact same problem of this post.

im trying to configure Anyconnect client base with asa 5555x in multiple context mode.

here is some info about platform and licences:

I have 2 "AC-VPNO-25" installed on both 5555x

here is what image version is running on asa:

Cisco Adaptive Security Appliance Software Version 9.8(2)

context show ver output is:

Licensed features for this platform:
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 5              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5555 VPN Premium license.


Failover cluster licensed features for this platform:
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 10             perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 50             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 4              perpetual
Cluster                           : Enabled        perpetual

im still getting following errors:

<Anyconnect-GroupPolicy> User <xxx> IP <xxx> Session terminated, no AnyConnect Apex license available

it seems my VPN Resource Allocation works fine also

---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary                                 
---------------------------------------------------------------------------
                                     Status : Installed :    Burst :  Limit
                                  -----------------------------------------
AnyConnect Premium               :  ENABLED :        25 :       15 :   NONE
Other VPN (Available by Default) :  ENABLED :         0 :        0 :   NONE
AnyConnect for Mobile            :  ENABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment     :  ENABLED(Requires Premium)
AnyConnect for Cisco VPN Phone   :  ENABLED
VPN-3DES-AES                     :  ENABLED
VPN-DES                          :  ENABLED
---------------------------------------------------------------------------

I would be greatly appreciated if anyone can help me.

Thanks