Re: Should ASA include AnyConnect client software?

chris fricke · ‎06-06-2018

I'm trying to clarify the AnyConnect licensing requirements. I just purchased a ASA5515X with Firepower and Security Plus License. I understood it includes the license to run 2 AnyConnect Premium clients. Show ver confirms this. But it doesn't appear that the ASA came with the AnyConnect Windows Client software on the box. And without a contract I am unable to download the client software.

Is that normal?

After contacting Cisco they told me I am licensed for Anyconnect but cannot download the client without a contract. So if I can get my hands on the client software (Maybe I already have it on my PC), then I can legally use that. But I just can't download it from their website. I just find this hard to believe.

I also thought that a new ASA with Security Plus should have had one version of the client already on the flash. Is that not true?

Thanks for any feedback.

Steven Case, MBA-ITM · ‎06-06-2018

I had to reach back into my mind a bit, but if I recall correctly I've always had to download Anyconnect WebDeploy packages with a software contract. This has been the case for me with a few models of ASA-X series.

The Sec+ license is more of a HA feature-set than anything else. Active-active fun, NAT (which I always though was base), Double-NAT, and all of that. The AnyConnect client licenses, namely the WebDeploy and PreDeploy packages, require software licensing in order to download, and that's unfortunate. The device "comes with VPN", because Clientless SSL comes onboard.

I'm sure it's not what you want to hear, but you'll have to purchase 25 licenses of Anyconnect w/ Software (fairly inexpensive, depending on what features you need/want) in order to download the packages.

chris fricke · ‎06-06-2018

Thanks for the help.. I guess that clientless VPN does work without anything additional, I didn't realize that. I actually had a slightly older anyconnect package so I loaded it to the ASA and Anyconnect seems to work fine now. I'll remember I have to purchase AnyConnect licenses separately next time.

It doesn't really bother me that Cisco charges for these things, but it's very frustrating that I couldn't easily find that requirement before the purchase and contacted two partner/distributors and neither of them knew this either. I even contacted Cisco and they couldn't give me that straight answer. I've always been a Cisco fan, but it seems like their licensing is overly complex.

Steven Case, MBA-ITM · ‎06-07-2018

No doubt. Before replying I wanted to get the exact license features for Sec+, but couldn't find that data sheet on the page. If you want to know what IOS versions an AIR3802i uses, however, there are plenty of 40+ page white papers on that!

The licensing structure has gotten far too complicated. They have tried Cisco One (which I'm actively avoiding with all of my heart after a former employer received a $2million/year quote for that thing), and now "Smart licensing", which is said to be more user-friendly, but it isn't. Worse yet, no one can keep up with them, even their distributors and sales people (as you've experienced). I've had to become more adept at reading the white papers on every appliance I purchase now, which is something that takes far too much time but still necessary.

I do hope you have better luck deciphering this cacophony of information in the future. I'm a life-long member of the "Only Cisco Appliances for my Core" community, and I find this loyalty tested from time to time because of these very things.