Q. Can I buy a perpetual AnyConnect license? Can you tell me more about AnyConnect VPN Only and AnyConnect Plus Perpetual?
A. Yes. AnyConnect Plus is offered as a perpetual license in addition to the 1, 3 or 5 year terms.
Cisco also offers a perpetual VPN-only license. This provides the equivalent functionality of prior AnyConnect Premium plus Advanced Endpoint Assessment plus Mobile plus Phone VPN.
The VPN-only Licenses are designed for VPN only environments that have a large number of potential end users but very infrequent use (e.g. university with 10,000 students but with only 100 active users at any one time). With either the Plus Perpetual or VPN-only licenses, you must separately purchase support services or you will not be eligible to access software or tech support.
AnyConnect VPN Only is licensed based on a single headend device and simultaneous connections (not authorized users). For active/standby pairs, only the primary headend is required to have a VPN Only license. VPN Only licenses are an alternative to the AnyConnect Plus and Apex model. No other AnyConnect function or service (Web Security Module, ISE Posture, Network Visibility, ASA Multi-context VPN, etc) is available with the AnyConnect VPN Only licenses. VPN Only licenses do support Clientless SSL VPN, third party IPsec IKEv2, Suite B and VPN HostScan with an ASA. The VPN Only licenses cannot be transferred, rehosted, shared, combined, split, or directly upgraded to another VPN Only license size. These licenses do not coexist with Plus or Apex licensing or any retired AnyConnect licenses.
Both VPN Only and Plus Perpetual licenses require a SWSS contract on all head-ends in order to be eligible for SW access, updates, and techical support.
Q. Are there any additional limitations of the AnyConnect VPN-only licenses?
A. Yes. The AnyConnect VPN-only licenses are concurrent endpoint based vs total active user with AnyConnect Plus and Apex. The VPN-only are applied per individual ASA and there is no sharing of licenses between ASAs, unlike AnyConnect Plus and Apex, which provide this capability. For active/standby pairs, only the primary headend is required to have a VPN Only license. The VPN-only licenses are not portable, which means that when a new ASA is purchased additional licenses also need to be purchased. VPN-only license are not additive meaning that you can’t start with a set number of licenses (e.g. 500 at time x) and then increase capacity over time (e.g. add 100 more at time x + y). Nor can they be bought to service burst capacity requirements. And as mentioned previously, VPN-only licenses require the purchasing of support services whereas support is built into the term contracts for AnyConnect Plus and Apex.
A. The AnyConnect Plus and Apex model is based on total authorized users that will make use of any AnyConnect service, not simultaneous connections (either on a per-ASA or shared basis) and not total active remote access users. As such, a user can connect with as many devices as he / she wants as long as the you have available hardware capacity and have not exceeded your purchased authorized user count. It is your responsibility to purchase additional authorized user licenses if their usage needs increase. If you currently support 30K simultaneous user connections but have 50K users who need AnyConnect services, you would be required to buy a 50K license. If you have 100K users who need AnyConnect services, you would be required to buy a 100K license. For unattended environments where there are not really individual users on the other side of a connection, each unattended device is considered a unique user.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 126.96.36.199Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 188.8.131.52R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...