cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5382
Views
0
Helpful
28
Replies

Questions about ASA5505 Licensing

Hi,

I have been looking into the ASA 5505 Hardware-Bundles and I have learnt that there are the following:

- The Basic License, offering just 3 VLANs (the 3rd one restricted). It also offers just 2 SSL VPN AnyConnect Premium Licenses and 10 IPSec VPN (which comprises old Cisco VPN Client and EasyConnect), accounting both up to 10 VPNs.  There are 3 types of Bundles, whose part numbers are:

  ** ASA5505-BUN-K9   --> which is the basic Bundle, offering up to just 10 internal concurrent users

  ** ASA5505-50-BUN-K9  --> offering up to 50 internal concurrent users 

  ** ASA5505-UL-BUN-K9  --> offering unlimited internal concurrent users

- The Security Plus License, offering up to 20 VLANs and unlimited internal concurrent users (regarding the Hardware-Bundle edition). It also offers just 2 SSL VPN AnyConnect Premium Licenses and 25 IPSec VPN (which comprises old Cisco VPN Client and EasyConnect), accounting both up to 25 VPNs. There is just one type of Bundle, whose part number is:

   ** ASA5505-SEC-BUN-K9  --> offering unlimited internal concurrent users.

 If you have the basic ASA5505-BUN-K9 Basic License and you want to upgrade to Security Plus License, you would activate 2 licenses:

    + the Security Plus License --> ASA5505-SEC-PL=  (or the L-ASA5505-SEC-PL= if you want to receive it via email)

    + the Unlimited Users License --> ASA5505-SW-10-UL  (as if the Security Plus License is not Hardware-Bundle, it does not come with unlimited users)

and that's why it is much better to purchase the Security Plus License Hardware-Bundle right from the bat than upgrading later.

This is as much as I could get, but I still have a couple of questions that I would like you to help me solve:

QUESTION 1.- Is the above information right or is there anything wrong?

QUESTION 2.- I have heard there is an AnyConnect Essentials VPN License offering up to 25 AnyConnect Essential Licenses concurrently, and I would like to know what is the difference between those licenses and AnyConnect Premium VPN Licenses?  Will I be able to connect with an AnyConnect Essentials License through RDP?

QUESTION 3.- I have also heard there is another bundle called ASA5505-SSL10-K9 offering up to 10 SSL VPN AnyConnect Licenses, which has been deprecated just recently. Was Security Plus License with unlimited users included in this Hardware-Bundle?

QUESTION 4.- Alternatively, there is another license called ASA-SSL-10, which could be installed along with Security Plus License. Does it work the same way the the above Hardware-Bundle?

QUESTION 5.- When reaching the limit of internal concurrent users permited, how long would it take to refresh the counter since a user gets out of the internal network?

Kind Regards,

PEDRO

1 Accepted Solution

Accepted Solutions

You are right for anyConnect 4. The main difference to old licensing is that you have to count the users that needs AnyConnect installed. Not the users that use it simultaneously.

But the minimum user count is 25 users to my knowledge. But also for twenty-five users and five year subscription you typically pay less then for AnyConnect Essentials and AnyConnect Mobile together.

The order codes for that combination would be (you need both):

  • L-AC-PLS-5YR-G
  • AC-PLS-5YR-25-S

The arp timeout can be changed with the command ... (drum roll) "arp timeout"! ;-)

View solution in original post

28 Replies 28

> QUESTION 1

you are right with that.

QUESTION 2

With the essentials license you open up the ASA for AnyConnect up to the platform-limit, which is 25 concurrent connections, But today you would buy AnyConnect 4 Plus licenses for the amount of users that will use the VPN.

With Essentials/Plus you can basically only use client-based VPNs, but you can't use clientless VPNs that are possible with the Premium license. Any traffic that is IP unicast can be sent through the tunnel with AnyConnect, including RDP.

> QUESTION 3, 4

don't remember any more ... 

QUESTION 5

If I remember right, it was tied to the ARP timeout which is 4h by default.

 

Hi Karsten,

Thanks for your answer. As per QUESTION 2, I did not know about the new AnyConnect Licensing scheme:   http://www.petenetlive.com/KB/Article/0001013.htm

As I understand from that link, you should buy a Plus Licence (analogous to the Essential one), choosing the duration: Let's say:

L-AC-PLS-1YR-G for 1 year, or

L-AC-PLS-P-G for perpetual

and then you should buy the license for the amount of clients you have: AC-PLS-P-5-S for 5 of them.   Is that right?

As per QUESTION 5, do you know the command to change the ARP timeout on ASA?

Kind Regards,

PEDRO

You are right for anyConnect 4. The main difference to old licensing is that you have to count the users that needs AnyConnect installed. Not the users that use it simultaneously.

But the minimum user count is 25 users to my knowledge. But also for twenty-five users and five year subscription you typically pay less then for AnyConnect Essentials and AnyConnect Mobile together.

The order codes for that combination would be (you need both):

  • L-AC-PLS-5YR-G
  • AC-PLS-5YR-25-S

The arp timeout can be changed with the command ... (drum roll) "arp timeout"! ;-)

Hi Karsten,

Thanks very much for your help. It is much appreciated to clarify concepts.

Just a quick question: You say "The main difference to old licensing is that you have to count the users that needs AnyConnect installed. Not the users that use it simultaneously."

Do you know how it is done? I mean, you could download AnyConnect 4 attacking the ASA, and that way it is easy to count the different users using AnyConnect.  But you could also download AnyConnect 4 from the internet, so how does ASA keep track of the number of different users connected to it?

It's not the ASA that counts the users. You count them and Cisco trusts you that you buy the right amount of AnyConnect licenses. Probably Cisco will change that sometime in the future and add a technical control for that. But now, that's the way it works.

Hi Karsten,

I was thinking about 5 AnyConnect licenses, so 25 are more than enough for me.

Justa an extra question about licensing: Let's say I would like to upgrade from 10 to 50 users for the Base License. If I get the L-ASA5505-10-50 Upgrade License, I understand I will receive it via email, as all ASA licenses starting with capital L are to be received through email. And upon receipt, I will have to register that License on Cisco website in order to activate it. And finally I will introduce the code on the ASA via CLI or ASDM. Is that right?  

That's right. You'll receive a PAK. This PAK is used together with the serial number of the ASA to request the activation-key at www.cisco.com/go/license. The activation-key is then added to the ASA.

Hi Karsten,

And I assume the same procedure applies to the AnyConnect Plus Licenses for 5 years that you recommended me above:

L-AC-PLS-5YR-G   and  AC-PLS-5YR-25-S  

I mean, I will receive a PAK and I have to request the activation-key, as explained in this link, right?

http://www.petenetlive.com/KB/Article/0000531.htm

 

 

it's exactly as shown there.

Hi Karsten,

I assume both licenses will be forwarded by email, in spite of one starting by capital L but not the other one, right?   

L-AC-PLS-5YR-G   and  AC-PLS-5YR-25-S 

In fact, it's just one license. So yes, you'll get one mail with a link to activate the license.

Hi Karsten,

If it's just one license, which one should I apply for?

The order will include both items, but out of that order you get one license.

You mean that a will get a single PAK and with that I will have to follow the procedure of this link:  http://www.petenetlive.com/KB/Article/0000531.htm

Is that right?