[c-nsp] Cisco anyconnect license question

Ulrik Ivers ulrik.ivers at excanto.se
Tue Oct 10 09:40:09 EDT 2017


Hi,

The license actually opens up the ASA up to the maximum number of VPN sessions that the box can support. BUT, you are only legally allowed to have as many users that have the ability to use VPN as the number of user-based licenses you have purchased.

So, there is a difference on what number of users that HAVE THE RIGHT to use VPN, and the number of users that technically can connect. As far as I know there is no license enforcement today, it's honor based. Who knows what will happen in future SW upgrades and versions of AnyConnect...

I actually had a case with Cisco pre-sale support regarding this a couple years ago. Here's a quote from that conversation:

<-- quote -->
I can indeed confirm that there is no license key that has to be installed in the client, we continue to use our previous ASA internal licensing/activation keys with the new licensing.

So we are continuing to enforce using ASA activation keys on ASAs.

As the licensing is user based and the current ASA activation keys session based, we cannot really enforce it on a per user on the ASA equipement today.

In practice what we do is that after receiving a PAK following an order you can use the licensing portal to register an ASA and will receive an activation key for that ASA. And this will activate all VPN features for that ASA and for the maximum platform capacity of the ASA itself.

So in a way the licensing we have right now if half enforced (using activation keys to activate VPN on ASA) and half paper model (as we have no way to enforce this on a per user basis).
<-- end quote -->

Regards
/Ulrik

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Satish Patel
Sent: den 9 oktober 2017 15:45
To: dave at brockmans.com; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco anyconnect license question

So I can you any number of user with 25 users license? Why Cisco doing this and what is the point to buy bigger license?

Sent from my iPhone

> On Oct 8, 2017, at 7:08 AM, dave at brockmans.com wrote:
> 
> The Activation keys appear to modify the concurrent user # based on 
> platform.  When I order 25 users for a 5506, I get 25 users activated.
> When I order 25 users on a 5512, I get 250 anyconnect users.  Larger 
> units get even more.  I'm not sure if there is a clip at 25 
> concurrent, but I don't think there is.
> 
> Regards,
> 
> dtb
> 
>> On 2017-10-07 15:23, Satish Patel wrote:
>> Folks,
>> We have  L-AC-PLS-LIC=  license for 25 users for 3 month 
>> subscription, which i have activated but in show activation-key 
>> output i am not seeing anywhere 25 users quantity, its showing 5000  
>> (we have
>> ASA5585X)
>> AnyConnect Premium Peers          : 5000           perpetual
>> AnyConnect Essentials             : Disabled       perpetual
>> You can see in following full output.
>> Licensed features for this platform:
>> Maximum Physical Interfaces       : Unlimited      perpetual
>> Maximum VLANs                     : 1024           perpetual
>> Inside Hosts                      : Unlimited      perpetual
>> Failover                          : Active/Active  perpetual
>> Encryption-DES                    : Enabled        perptual
>> Encryption-3DES-AES               : Enabled        perpetual
>> Security Contexts                 : 2              perpetual
>> Carrier                           : Disabled       perpetual
>> AnyConnect Premium Peers          : 5000           perpetual
>> AnyConnect Essentials             : Disabled       perpetual
>> Other VPN Peers                   : 5000           perpetual
>> Total VPN Peers                   : 5000           perpetual
>> AnyConnect for Mobile             : Enabled        perpetual
>> AnyConnect for Cisco VPN Phone    : Enabled        perpetual
>> Advanced Endpoint Assessment      : Enabled        perpetual
>> Shared License                    : Disabled       perpetua
>> Total TLS Proxy Sessions          : 2              perpetual
>> Botnet Traffic Filter             : Disabled       perpetual
>> 10GE I/O                          : Enabled        perpetual
>> Cluster                           : Disabled       perpetual
>> This platform has an ASA5585-SSP-10 VPN Premium license.
>> Failover cluster licensed features for this platform:
>> Maximum Physical Interfaces       : Unlimited      perpetual
>> Maximum VLANs                     : 1024           perpetual
>> Inside Hosts                      : Unlimited      perpetua
>> Failover                          : Active/Active  perpetual
>> Encryption-DES                    : Enabled        perpetual
>> Encryption-3DES-AES               : Enabled        perpetual
>> Security Contexts                 : 4              perpetual
>> Carrier                           : Disabled       perpetual
>> AnyConnect Premium Peers          : 5000           perpetual
>> AnyConnect Essentials             : Disabled       perpetual
>> Other VPN Peers                   : 5000           perpetual
>> Total VPN Peers                   : 5000           perpetual
>> AnyConnect for Mobile             : Enabled        perpetual
>> AnyConnect for Cisco VPN Phone    : Enabled        perpetual
>> Advanced Endpoint Assessment      : Enabled        perpetual
>> Shared License                    : Disabled       perpetual
>> Total TLS Proxy Sessions          : 4              perpetual
>> Botnet Traffic Filter             : Disabled       perpetual
>> 10GE I/O                          : Enabled        perpetual
>> Cluster                           : Disabled       perpetual
>> This platform has an ASA5585-SSP-10 VPN Premium license.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list