There is a VPN-Only License

AnyConnect Licensing Frequently Asked Questions (FAQ) - Cisco

1. Q. Can I buy a perpetual AnyConnect license? Can you tell me more about AnyConnect VPN Only and AnyConnect Plus Perpetual?

1. A. Yes.  AnyConnect Plus is offered as a perpetual license in addition to the 1, 3 or 5 year terms.

  Cisco also offers a perpetual VPN-only license.  This provides the equivalent functionality of prior AnyConnect Premium plus Advanced Endpoint Assessment plus Mobile plus Phone VPN.  

The VPN-only Licenses are designed for VPN only environments that have a large number of potential end users but very infrequent use (e.g. university with 10,000 students but with only 100 active users at any one time). With either the Plus Perpetual or VPN-only licenses, you must separately purchase support services or you will not be eligible to access software or tech support.  

AnyConnect VPN Only is licensed based on a single headend device and simultaneous connections (not authorized users). For active/standby pairs, only the primary headend is required to have a VPN Only license. VPN Only licenses are an alternative to the AnyConnect Plus and Apex model.  No other AnyConnect function or service (Web Security Module, ISE Posture, Network Visibility, ASA Multi-context VPN, etc) is available with the AnyConnect VPN Only licenses. VPN Only licenses do support Clientless SSL VPN, third party IPsec IKEv2, Suite B and VPN HostScan with an ASA. The VPN Only licenses cannot be transferred, rehosted, shared, combined, split, or directly upgraded to another VPN Only license size. These licenses do not coexist with Plus or Apex licensing or any retired AnyConnect licenses.

Both VPN Only and Plus Perpetual licenses require a SWSS contract on all head-ends in order to be eligible for SW access, updates, and techical support.

1. Q. Are there any additional limitations of the AnyConnect VPN-only licenses?

1. A. Yes.  The AnyConnect VPN-only licenses are concurrent endpoint based vs total active user with AnyConnect Plus and Apex.  The VPN-only are applied per individual ASA and there is no sharing of licenses between ASAs, unlike AnyConnect Plus and Apex, which provide this capability. For active/standby pairs, only the primary headend is required to have a VPN Only license.  The VPN-only licenses are not portable, which means that when a new ASA is purchased additional licenses also need to be purchased. VPN-only license are not additive meaning that you can’t start with a set number of licenses (e.g. 500 at time x) and then increase capacity over time (e.g. add 100 more at time x + y). Nor can they be bought to service burst capacity requirements.  And as mentioned previously, VPN-only licenses require the purchasing of support services whereas support is built into the term contracts for AnyConnect Plus and Apex.

1. A. The AnyConnect Plus and Apex model is based on total authorized users that will make use of any AnyConnect service, not simultaneous connections (either on a per-ASA or shared basis) and not total active remote access users. As such, a user can connect with as many devices as he / she wants as long as the you have available hardware capacity and have not exceeded your purchased authorized user count. It is your responsibility to purchase additional authorized user licenses if their usage needs increase. If you currently support 30K simultaneous user connections but have 50K users who need AnyConnect services, you would be required to buy a 50K license. If you have 100K users who need AnyConnect services, you would be required to buy a 100K license. For unattended environments where there are not really individual users on the other side of a connection, each unattended device is considered a unique user.