ANY CONNECT PART -16

Cisco AnyConnect - Essentials / Premium Licenses. Explained

KB ID 0000628 Dtd 09/07/12

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.
When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.
ASA Premium Licence
You get two of these free with your firewall*, with a 'Premium License' you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSLfacilities via the web portal.
*As pointed out by @nhomsany "The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).
Additionally you can use this license' model with the Advanced Endpoint Assessment License', this is the license' you require for Cisco Secure Desktop. You can also use this license' with the AnyConnect Mobile license' for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).
For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).
Failover: If you are using failover firewalls you can (but don't have to) use a shared license' model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license' server'. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

ASA Essentials Licence
When you enable 'Essential Licensing', your firewall changes it's licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.
Note: The portal still exists, but can only be used to download the AnyConnect Client Software.
With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.
Note: Remember these are "Peer VPN Sessions". If you have a bunch of other VPN's (includingIPSEC ones), then these are taken from the 'pot'.
Additionally, you can also use this license' with the AnyConnect Mobile license' for access from mobile devices like phones or tablets, this license' is an additional purchase.
Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license' for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.
Cisco ASA Maximum VPN Peers / Sessions
5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000
Next Generation Platform (X)
5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000
*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the 'no anyconnect-essentials" command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

No comments:

Post a Comment