[c-nsp] ASA VPN/AnyConnect Licensing

Ulrik Ivers ulrik.ivers at excanto.se
Wed Jun 15 03:10:38 EDT 2016

Hi Jan,

Yes, you can use the license on as many ASA devices as you'd like, hence the "99999".

The license actually opens up the ASA up to the maximum number of VPN sessions that the box can support. BUT, you are only legally allowed to have as many users that have the ability to use VPN as the number of user-based licenses you have purchased.

So, there is a difference on what number of users that HAVE THE RIGHT to use VPN, and the number of users that technically can connect. As far as I know there is no license enforcement today, it's honor based. Who knows what will happen in future SW upgrades and versions of AnyConnect...

I actually had a case with Cisco pre-sale support regarding this last year. Here's a quote from that conversation:

<-- quote -->
I can indeed confirm that there is no license key that has to be installed in the client, we continue to use our previous ASA internal licensing/activation keys with the new licensing.

So we are continuing to enforce using ASA activation keys on ASAs.

As the licensing is user based and the current ASA activation keys session based, we cannot really enforce it on a per user on the ASA equipement today.

In practice what we do is that after receiving a PAK following an order you can use the licensing portal to register an ASA and will receive an activation key for that ASA. And this will activate all VPN features for that ASA and for the maximum platform capacity of the ASA itself.

So in a way the licensing we have right now if half enforced (using activation keys to activate VPN on ASA) and half paper model (as we have no way to enforce this on a per user basis).

"And another follow up question - since the licenses are user-based (in contrast to AnyConnect 3.0) I assume that the same license can be activated/installed on several ASA appliances at the same time? So that it doesn't matter which ASA (e.g. HQ or branch) the user connects to?"

This is correct and this is a benefit of the new licensing, you can use the same PAK to generate licenses/activation keys for multiple ASA.

To finish with, I am copying an Q&A found on our BU internal web site on the same topics:
"How do the new licenses work with the ASA?
a. A customer will receive a multi-use product activation key per Plus or Apex license purchased. This multi-use product activation key gets activated on each ASA at www.cisco.com/go/license. After activating the key, the ASA is unlocked for its maximum hardware capacity. Complying with the unique/authorized user counts and term limits are honor system and are not physically enforced by the ASA or AnyConnect. If a customer purchases more than one Apex license or a Plus and Apex license, we ask that they register each PAK to each ASA, although doing so does not change the resulting license key generated for the ASA."
<-- end quote -->


-----Original Message-----
From: Jan Gregor [mailto:jan.gregor at chronix.org] 
Sent: den 15 juni 2016 00:47
To: Ulrik Ivers <ulrik.ivers at excanto.se>
Cc: Josh Baird <joshbaird at gmail.com>; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA VPN/AnyConnect Licensing

Hello Ulrik,

this has puzzled me for some time. When you purchase the license, you can activate it on 99999 devices, as that is how many licenses you get.
Do you know if/how does Cisco even enforce the limit across the board?

Best regards,


On 06/14/2016 11:32 AM, Ulrik Ivers wrote:
> If you go with the new PER USER licenses you buy the number of licenses that equals the total number of users in the organization that will use VPN (not concurrent users). These are not bound to a specific HW, they are bound to the company/organization. This means that it doesn't matter how many users that actually connect to each office ASA, you only have to keep track of the total number of VPN users in the organization.
> Regards,
> /Ulrik
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf 
> Of Josh Baird
> Sent: den 13 juni 2016 21:57
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA VPN/AnyConnect Licensing
> Hi all,
> I'm considering using the ASA5506W-A-K9 for a few small office locations, but I'm a bit confused on the licensing model for AnyConnect.  These devices will need to handle client VPN (AnyConnect) termination for 1-5 users max.
> Do these devices include licensing for a minimal number of AnyConnect cilents (<25)?  The AnyConnect ordering guide [1] shows SKU's for AnyConnect Plus/Apex/VPN-Only licenses, but the smallest license looks like it is for 25-50 users.  This is overkill for my particular application because I only need AnyConnect Plus (or VPN-Only) for 1-5 users.
> [1] 
> http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf
> Thanks,
> Josh
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list