Understanding Cisco ASA AnyConnect Licensing

This post will try to help understand the differences between anyconnect premium and anyconnect essentials licenses.

Note: You cannot have both Essentials and Premium running at once.
Note: Cisco ASA 8.3+ no longer requires both the Active and Standby unit to each have a license. The active license is shared between the failover units. This should not be confused with the ‘shared premium license’.



Source of this image: Cisco’s Partner Education center – ASA Licensing Webex.

To enable AnyConnect essentials:

Purchase the license (L-ASA-AC-E-55xx= it costs $100-$500).
Apply the license to the ASA using the ‘activation-key’ command. This does not require a reboot.
Apply the config:
webvpn
 anyconnect-essentials
Now your firewall will be licensed to have up to however many connections that are on the “Total VPN Connections”. For instance if your show version says this:
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Enabled        perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
You will now be licensed to accommodate 250 anyconnect connections.

To enable AnyConnect Premium

Buy the license. You must purchase a license for a specific number of users (L-ASA-SSL-10= costs around $800).
Apply the license to the ASA using the ‘activation-key’ command. This does not require a reboot.
Configure the ASA:
webvnp
  no anyconnect-essentials
If you’ve already licensed this ASA for Essentials in the past then it will still show as an enabled license.
Once this is complete your ASA will be licensed to accept however many Anyconnect connections as you have Premium Licenses for. So if your ‘show version’ looks like this:
AnyConnect Premium Peers          : 10             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Then your ASA can have 10 Anyconnect users at once.
Note: The name “Anyconnect Premium” has changed a lot in different versions. Here are the different naming schemes.
7.1(1) known as “ssl vpn”
8.2(1) name changed to “anyconnect premium ssl vpn edition”
8.3(1) name changed to “anyconnect premium ssl vpn”
8.4(1) name changed to “anyconnect premium”

AnyConnect for Mobile

This license allows AnyConnect connections from mobile devices. There is current support for iPhone, iPad, Android IceCream Sandwich, rooted Androids and Samsung Galaxy’s.
The mobile license is on or off and not tied to a number of users. It costs between $100-$500.
This license is applied by simply using the ‘activation-key’ command. A reboot is not needed. There is no further configuration needed after that.

Advanced Endpoint Assessment

Advanced Endpoint Assessment includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant computers to meet version requirements.
This license is applied by simply using the ‘activation-key’ command. A reboot is not needed.

Shared Premium License

New to ASA 8.3+ code is the ability to share licensing. This is only for Anyconnect Premium. It allows for one ASA to have a shared license which other ASAs can use.
This configuration requires two extra licenses. A license is needed for the shared server which indicates how many shared licenses there are and there also is a need for any participating ASAs.
After buying a shared participant license and applying it with the ‘activation-key’ command, configure it with a command similar to this:
license-server address 10.15.0.15 secret SeKreTkey
The ‘show version’ on the participant ASA will show this:
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
Shared License                    : Enabled        perpetual

Now buy the shared premium license for the server for the amount of users you wish to have.
Apply the license using the ‘activation-key’ command. Then apply the following config:
license-server secret SeKreTkey
license-server enable inside
The ‘show version’ at this point looks like this:
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
Shared License                    : Enabled        perpetual
Also you can see the ‘show shared license‘ output:
Shared license utilization:
  AnyConnect Premium:
    Total for network :     5000
    Available         :     4900
    Utilized          :      100
  This device:
    Platform limit    :     5000
    Current usage     :       50
    High usage        :      100
  Messages Tx/Rx/Error:
    Registration    : 441798 / 441789 / 9
    Get             : 28 / 28 / 0
    Release         : 27 / 27 / 0
    Transfer        : 0 / 0 / 0

  Client ID           Usage   Hostname
  JMX1111             50      vpn-asa-01
 
found at: 
http://tunnelsup.com/tup/2012/08/08/understanding-cisco-asa-anyconnect-licensing/

Comments

Post a Comment

Popular posts from this blog

How to clean DB from old logs in Magento 1.x

How to clean DB from old logs in Magento 1.x Using MySQL truncate log_customer ; truncate log_quote ; truncate log_summary ; truncate log_summary_type ; truncate log_url ; truncate log_url_info ; truncate log_visitor ; truncate log_visitor_info ; truncate log_visitor_online ;     login to shell(SSH)  go with root/shell folder. execute the below command inside the shell folder   php - f log . php clean   enter this command to view the log data's size php -f log.php status This method will help you to clean the log data's very easy way.  
Read more

Reduce (shrink) and resize raw disk at Proxmox

 Reduce (shrink) and resize raw disk at Proxmox 1. Check the status of raw disk:   #e2fsck -fy /hdd-img/images/111/vm-111-disk-1.raw e2fsck 1.46.5 (30-Dec-2021) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /hdd-img/images/111/vm-111-disk-1.raw: 135279/327680000 files (1.8% non-contiguous), 857599886/1310720000 blocks  2. At first, check raw disk size:   #qemu-img info /hdd-img/images/111/vm-111-disk-1.raw image: /hdd-img/images/111/vm-111-disk-1.raw file format: raw virtual size: 4.88 TiB (5368709120000 bytes) disk size: 3.59 TiB  3. Resize filesystem: -M - will resize to the minimum size based on saved files -p - will display progress bar #resize2fs -M -p /hdd-img/images/111/vm-111-disk-1.raw resize2fs 1.46.5 (30-Dec-2021) Resizing the filesystem on /hdd-img/images/111/vm-111-disk-1.raw to 852166716 (4k) blocks. Begin pass 2 (max = 196
Read more

Apache 2.4 + mod_wsgi + Python 3.7 + Django installation on Centos 7.10

How to Apache 2.4 + mod_wsgi + Python 3.7 + Django installation   Httpd 2.4 1. Install  httpd yum install httpd   2. Install  httpd-devel yum install httpd-devel  Python 3.7 on Centos 7.10 1. Download the newest python cd /opt/ wget -dvS --no-check-certificate https://www.python.org/ftp/python/3.7.0/Python-3.7.0.tgz 2. Unpack and install tar xzf Python-3.7.0.tgz cd /opt/Python-3.7.0/ ./configure --prefix=/usr/local --enable-shared --with-threads --enable-optimizations make altinstall   to test if works: python3.7 -V mod_wsgi 0. (optional) uninstall current mod_wsgi yum erase mod_wsgi 1. Download the newest mod_wsgi and install cd /opt/ wget https://files.pythonhosted.org/packages/9e/37/dd336068ece37c43957aa337f25c59a9a6afa98086e5507908a2d21ab807/mod_wsgi-4.6.4.tar.gz tar xzf mod_wsgi-4.6.4.tar.gz cd mod_wsgi-4.6.4.tar.gz  ./configure --with-python=/usr/local/bin/python3.7 LD_RUN_PATH=/usr/local/lib make make install 2. Add p
Read more