Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
15
Helpful
15
Replies

VPN Licences

kostasthedelegate
Level 4
Level 4

‎03-17-2020 02:38 AM

Hello, 

 

I have two FTDs in high availability and they are using smart licenses.

I have VPN Anyconnect Plus licenses

I would like to ask if these devices are per user or per device?

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
15 Replies 15

Karsten Iwen
VIP
VIP

‎03-17-2020 05:15 AM

If you have AnyConnect Plus, it is always per user. Only the "AnyConenct VPN-Only" license works per device.

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Karsten Iwen

‎03-17-2020 05:18 AM

Hello Karsten,

Thank you for your answer. It helps.
I was wondering if you have a reference for that.
Regards,
Konstantinos
0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Karsten Iwen

‎03-17-2020 06:23 AM

The link does not open, but I found this
"Cisco AnyConnect Apex and Plus licensing eliminates the need to purchase per headend simultaneous connections licenses and dedicated license servers"
Doesn't that mean that the license is per device?
0 Helpful

Karsten Iwen
VIP
VIP
In response to kostasthedelegate

‎03-17-2020 07:23 AM

no, it says that it is not per device. It’s just that „device“ is named „headend“ in the documentation.
0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Karsten Iwen

‎03-17-2020 07:52 AM

Ok it is clear now!

In the FMC though it only shows two licenses consumed(as the devices)
Is there a way to see how the licenses are consumed?
Regards,
Konstantinos
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kostasthedelegate

‎03-17-2020 09:23 AM

There is an FMC dashboard widget that will show the connected users.

You can also see a list them by using the cli command (on the Firepower device itself) "show vpn sessiondb anyconnect | include user".

0 Helpful

Karsten Iwen
VIP
VIP
In response to kostasthedelegate

‎03-17-2020 11:06 AM

The FMC shows how many managed devices have assigned this license. But this license count is practically unlimited.

The most relevant information is not visible on the device or in FMC: For how many users the license is bought. For that you have to look into Smart licensing.
0 Helpful

kostasthedelegate
Level 4
Level 4

‎03-24-2020 05:15 AM

Hello again,

I have this scenario
I have 100 licenses AnyConnect plus on the FTD.
Today more than 100 users were able to connect successfully.
I would like to ask again if there is a way to see how many licenses I use or how they are mapped to users.
I mean has the customer has to buy more Licenses or the two device licenses are enough?

Regards,
Konstantinos
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kostasthedelegate

‎03-24-2020 06:02 AM

The current AnyConnect 4.x licensing system (whether using ASA with PAK-based licenses or ASAv and FTD with Smart Licenses) allows the maximum number of AnyConnect connection that the platform supports.

That's because the license are per unique users - not per connected device / session - and the system doesn't currently (as of 6.5) have the instrumentation to track the number of unique users. So you are on the "honor system" to be compliant with the terms of your license purchase.

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Marvin Rhoads

‎03-24-2020 06:15 AM

Ok
So I need to purchase more licenses

To get this straight.
I have FTD 2110 which supports 1500 VPN connections.
So if I want 1500 different users to connect I should buy 1500 Anyconnect Plus licenses.
In addition if I connect with the same username from another device, it will allow me, even if I have all the licenses consumed and the limit of the device is not reached.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kostasthedelegate

‎03-24-2020 07:28 AM

@kostasthedelegate if you platform limit is 1500 (as it is on the Firepower 2110 appliance) and you have 1500 concurrent connections (whether or not each connection is associated with a unique user) the 1501st connection attempt will fail - no matter what user is making the attempt. It doesn't matter how many licenses you have purchased - that's a fixed limit for the hardware.

However the number are more about compliance with the terms of your license than they are about the hardware in most use cases. For instance, you could have 500 user licenses and 1500 connections (each user connecting with three unique devices, each being a unique session) and you would be compliant. But 501 unique users with one connection each would be non-compliant (although your appliance wouldn't block 501-1500 from connecting as long as the total number of concurrent sessions doesn't exceed the platform limit).

kostasthedelegate
Level 4
Level 4
In response to Marvin Rhoads

‎03-24-2020 07:50 AM

So I cannot track how the VPN licenses are consumed in the system right?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents