ASA AnyConnect Total Users

Started by that1guy15, March 27, 2015, 09:27:43 AM

Previous topic - Next topic

that1guy15

OH ASAs and their complicated licensing...

Deployed a 5515X in a pretty simple setup a while back. Setup remote-access for anyconnect and webvpn for remote admin or 2-4 users as we migrate them to our primary VPN solution. I see now only two users at a time can connect. I disconnect either of the two and someone else can get in.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5525 VPN Premium license.


I am running the premium license and I was under the assumption I had 750 total VPNs including anyconnect and Web but I see I only have two "premium" Anyconnect peers.

What am I missing?
That1guy15
@that1guy_15
blog.movingonesandzeros.net

deanwebb

750 VPNs with other devices, you betcha. Just only 2 with AnyConnect.

You are missing, therefore, additional AnyConnect license bundles. You may want to get a 5-pack for this exercise.

Good thing for you, I'm a CCLIE: Cisco Certified Licensing Information Engineer. 8)
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

that1guy15

Argh that sucks. Oh well it will force us to get them off this ASA for VPN quicker.

Thanks!
That1guy15
@that1guy_15
blog.movingonesandzeros.net

wintermute000

#3
I know a lot of SMBs who stick with the old Cisco IPSEC client for this very reason. You can run 750 of those... lol
I don't know how it runs with Win8 but defo still works fine with Win7 (including x64)

that1guy15

Ah good idea! There are a handful of clients connecting up to this ASA which replaced a 3000 concentrator so they have an old client. Didn't know the newer ASAs would support such an old client.

Might give that a go if Im in a pinch!
That1guy15
@that1guy_15
blog.movingonesandzeros.net

wintermute000

#5
Just tiny sliver of doubt, I can't actually recall running the old IPSEC client with X series just 5520/5510/5505 etc. but I'm fairly sure they haven't depreciated it in 9.x train, if you use the same old school syntax it should still work. ****deanwebb are you there??? lol***

SimonV

Last time I checked, the SSL licenses weren't too expensive. I think my previous project paid a couple hundred euros for 750 users

deanwebb

Quote from: wintermute000 on March 30, 2015, 03:39:53 AM
Just tiny sliver of doubt, I can't actually recall running the old IPSEC client with X series just 5520/5510/5505 etc. but I'm fairly sure they haven't depreciated it in 9.x train, if you use the same old school syntax it should still work. ****deanwebb are you there??? lol***
Haven't seen it done myself, but it would be pretty wizzo if it did work.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

DanC

This is the very reason why I order anyconnect essentials license with every ASA I purchase. It's only $150 list on a 5515 for 250 clients to connect...

The webvpn premium license is a completely different matter though, very expensive!

javentre

It's worth nothing that AnyConnect Essentials and Premium are the old licenses, going forward (> 3.x) you'll need the new licenses - Apex and Plus.
[url="http://networking.ventrefamily.com"]http://networking.ventrefamily.com[/url]

DanC

Quote from: javentre on April 03, 2015, 01:40:14 PM
It's worth nothing that AnyConnect Essentials and Premium are the old licenses, going forward (> 3.x) you'll need the new licenses - Apex and Plus.

This is the first time I've heard of this new model, will look into that, thanks for posting!

that1guy15

Yeah the ASA license mess is pissing me off. The ASA itself is not doing much better. Maybe I just havent rolled over and accepted it for what it is but Im starting to think they are a steaming pile o'shit.

Right now we are evaluating multiple option for WAN edge and remote access and ASA is still in the mix, but Im really starting to lean towards a Palo Alto firewall with F5 controlling remote access and application publishing.

What are you thoughts?
That1guy15
@that1guy_15
blog.movingonesandzeros.net

icecream-guy

http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf

from here,  it looks like the APEX licensing is for Anyconnect 4.0 integration with Cisco ISE.

this is the first Ive heard of this APEX thing also. Need more research
:professorcat:

My Moral Fibers have been cut.

deanwebb

We're still between ASA+SourceFire and Palo Alto for our choice.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.