03-17-2020 02:38 AM
Hello,
I have two FTDs in high availability and they are using smart licenses.
I have VPN Anyconnect Plus licenses
I would like to ask if these devices are per user or per device?
Thanks and regards,
Konstantinos
03-17-2020 05:15 AM
If you have AnyConnect Plus, it is always per user. Only the "AnyConenct VPN-Only" license works per device.
03-17-2020 05:18 AM
03-17-2020 06:12 AM
03-17-2020 06:23 AM
03-17-2020 07:23 AM
03-17-2020 07:52 AM
03-17-2020 09:23 AM
There is an FMC dashboard widget that will show the connected users.
You can also see a list them by using the cli command (on the Firepower device itself) "show vpn sessiondb anyconnect | include user".
03-17-2020 11:06 AM
03-17-2020 03:59 PM
03-24-2020 05:15 AM
03-24-2020 06:02 AM
The current AnyConnect 4.x licensing system (whether using ASA with PAK-based licenses or ASAv and FTD with Smart Licenses) allows the maximum number of AnyConnect connection that the platform supports.
That's because the license are per unique users - not per connected device / session - and the system doesn't currently (as of 6.5) have the instrumentation to track the number of unique users. So you are on the "honor system" to be compliant with the terms of your license purchase.
03-24-2020 06:15 AM
03-24-2020 07:28 AM
@kostasthedelegate if you platform limit is 1500 (as it is on the Firepower 2110 appliance) and you have 1500 concurrent connections (whether or not each connection is associated with a unique user) the 1501st connection attempt will fail - no matter what user is making the attempt. It doesn't matter how many licenses you have purchased - that's a fixed limit for the hardware.
However the number are more about compliance with the terms of your license than they are about the hardware in most use cases. For instance, you could have 500 user licenses and 1500 connections (each user connecting with three unique devices, each being a unique session) and you would be compliant. But 501 unique users with one connection each would be non-compliant (although your appliance wouldn't block 501-1500 from connecting as long as the total number of concurrent sessions doesn't exceed the platform limit).
03-24-2020 07:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide