OH ASAs and their complicated licensing...
Deployed a 5515X in a pretty simple setup a while back. Setup remote-access for anyconnect and webvpn for remote admin or 2-4 users as we migrate them to our primary VPN solution. I see now only two users at a time can connect. I disconnect either of the two and someone else can get in.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
I am running the premium license and I was under the assumption I had 750 total VPNs including anyconnect and Web but I see I only have two "premium" Anyconnect peers.
What am I missing?
750 VPNs with other devices, you betcha. Just only 2 with AnyConnect.
You are missing, therefore, additional AnyConnect license bundles. You may want to get a 5-pack for this exercise.
Good thing for you, I'm a CCLIE: Cisco Certified Licensing Information Engineer. 8)
Argh that sucks. Oh well it will force us to get them off this ASA for VPN quicker.
Thanks!
I know a lot of SMBs who stick with the old Cisco IPSEC client for this very reason. You can run 750 of those... lol
I don't know how it runs with Win8 but defo still works fine with Win7 (including x64)
Ah good idea! There are a handful of clients connecting up to this ASA which replaced a 3000 concentrator so they have an old client. Didn't know the newer ASAs would support such an old client.
Might give that a go if Im in a pinch!
Just tiny sliver of doubt, I can't actually recall running the old IPSEC client with X series just 5520/5510/5505 etc. but I'm fairly sure they haven't depreciated it in 9.x train, if you use the same old school syntax it should still work. ****deanwebb are you there??? lol***
Last time I checked, the SSL licenses weren't too expensive. I think my previous project paid a couple hundred euros for 750 users
Quote from: wintermute000 on March 30, 2015, 03:39:53 AM
Just tiny sliver of doubt, I can't actually recall running the old IPSEC client with X series just 5520/5510/5505 etc. but I'm fairly sure they haven't depreciated it in 9.x train, if you use the same old school syntax it should still work. ****deanwebb are you there??? lol***
Haven't seen it done myself, but it would be pretty wizzo if it did work.
Quote from: deanwebb on March 30, 2015, 08:12:48 AM
wizzo
I hereby nominate this as the word of the week!
This is the very reason why I order anyconnect essentials license with every ASA I purchase. It's only $150 list on a 5515 for 250 clients to connect...
The webvpn premium license is a completely different matter though, very expensive!
It's worth nothing that AnyConnect Essentials and Premium are the old licenses, going forward (> 3.x) you'll need the new licenses - Apex and Plus.
Quote from: javentre on April 03, 2015, 01:40:14 PM
It's worth nothing that AnyConnect Essentials and Premium are the old licenses, going forward (> 3.x) you'll need the new licenses - Apex and Plus.
This is the first time I've heard of this new model, will look into that, thanks for posting!
Yeah the ASA license mess is pissing me off. The ASA itself is not doing much better. Maybe I just havent rolled over and accepted it for what it is but Im starting to think they are a steaming pile o'shit.
Right now we are evaluating multiple option for WAN edge and remote access and ASA is still in the mix, but Im really starting to lean towards a Palo Alto firewall with F5 controlling remote access and application publishing.
What are you thoughts?
http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf
from here, it looks like the APEX licensing is for Anyconnect 4.0 integration with Cisco ISE.
this is the first Ive heard of this APEX thing also. Need more research
We're still between ASA+SourceFire and Palo Alto for our choice.
Quote from: deanwebb on April 06, 2015, 08:22:08 AM
We're still between ASA+SourceFire and Palo Alto for our choice.
Everything I hear and everyone I talk to says Palo Alto is a much better firewall and security device but Cisco is still the best option for end user remote access VPN.
Quote from: that1guy15 on April 06, 2015, 08:30:03 AM
Quote from: deanwebb on April 06, 2015, 08:22:08 AM
We're still between ASA+SourceFire and Palo Alto for our choice.
Everything I hear and everyone I talk to says Palo Alto is a much better firewall and security device but Cisco is still the best option for end user remote access VPN.
Juniper is better for remote access in my opinion. The ASA isn't bad at all but Juniper has the edge especially on the SSL clientless side of things.
I evaluated a Palo Alto, good boxes but the lack of partners and support concerned me over here in the UK, perhaps it's different in the US? I've just ordered some ASA's with SourceFire IPS + AVC, looking forward to sticking those in!
There's a pretty cool demo of FireSight on dcloud you can have a play with :)