ASA 5505 SSL VPN license update

Hi all.

Our ASA 5505 with DATABASE default license allowing only 10 simultaneous vpn sessions (including 2 Anyconnect + IPsec). attached a TXT file with the license information. This Firewall is's use only for vpn access, and we less vpn tunnel vpn IPSec-L2L, anyconnect client SSL and IPSec client access configurations vpn to the top and race walk,.

We are in terms of upgrading vpn license to archive IPSec 10 and 10 Anyconnect and 1 anyconect mobile VPN sessions in time. so my questions are;

1. can I buy "ASA5500-SSL-10 =" accounting and to upgrade our ASA 5505 without having to buy "L-ASA5505-SEC-PL =" license of pus of security.

2. asa use to upgrade only Anyconnect SSL vpn license while keeping 10 vpn IPSec comes with the base license.

Thank you & you expects value comment

Thank you

JCK

1. Yes.

2.Yes.

If you want to keep Clientless SSL VPN you do not want to continue with the addition of the ASA5500-SSL-10 = part. If you can do without client (including the conversion the two existing ones), more economically, you can opt for Security Plus and AnyConnect Essentials licenses. (US$ 800 vs price $1250).

In both cases, the Mobile requires the AnyConnect Mobile (ASA-AC-M-5505) license.

Tags: Cisco Security

Similar Questions

  • Try to customize login page for ASA 5505 SSL - VPN

    Nice day

    I'm looking for help to customize the login page for the ssl - vpn as mentioned. When the vpn is configured, the default template allows my customers to connect with this: IMAGE 1

    While trying to change the login page, I have to create a new customization without CLIENT SSL VPN ACCESS-> PORTAL-> CUSTOMIZATION file in the ASDM. When I do this and I'm trying to change the login page, it comes up with 2 forms of authentication and a fast internal password like this: IMAGE 2

    How can I change the login page, I created so that users only see the fields username and password for regular as the default template?

    Thank you all for your time and assistance

    Joel

    Hi Joel,

    What you see is just the preview, right?

    Preview displays the purpose of customization, since the password internal and the second authentication controls are the features that are activated in different parts of the configuration.

    WebVPN

    allow outside

    internal-password enable

    !

    attributes global-tunnel-group DefaultWEBVPNGroup

    secondary-authentication-server-group second_authentication_server


    INFO: This command applies only to the SSL VPN - Clientless and AnyConnect.

    So I recommend to assign this object of customization to a group policy and test access to the content of the specific connection profile.

    Thank you.

    Portu.

    Please note all useful posts

  • ASA 5520 - SSL VPN (Anyconnect) licenses

    Hello

    Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium.  Our current license looks like this:

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited
    VLAN maximum: 150
    Internal hosts: unlimited
    Failover: Active/active
    VPN - A: enabled
    VPN-3DES-AES: enabled
    Security contexts: 2
    GTP/GPRS: disabled
    SSL VPN peers: 2
    Total of the VPN peers: 750
    Sharing license: disabled
    AnyConnect for Mobile: disabled
    AnyConnect Cisco VPN phone: disabled
    AnyConnect Essentials: disabled
    Assessment of Advanced endpoint: disabled
    Proxy sessions for the UC phone: 2
    Total number of Sessions of Proxy UC: 2
    Botnet traffic filter: disabled

    This platform includes an ASA 5520 VPN Plus license.

    I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.

    I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect.  The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?

    Thank you

    Rob

    Hello

    The essentials license is per device and does not allow full-tunnel.

    If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

    Federico.

  • ASA 5500 SSL VPN Failover license

    Hello

    I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

    His question is:

    Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby?  I would therefore have a total of (4) licenses of SSL VPN to use?

    This would also be true for two security contexts that are included with the firewall?

    For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

    Here is my response to his request:

    Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)

    It was mentioned that:

    "You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

    It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

    Thanks in advance!

    Ice Flancia

    Cisco partner Helpline Tier 2 team

    Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

    2 SSL included license on SAA in failover pair is combined as 4 license SSL.

    2 license of background on ASA in failover pair is combined as license frame 4.

    Here's the URL on ASA combined license failover:

    http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1450094

    Hope that helps.

  • Moving from SSL VPN licenses to other ASA

    Hello

    Be gentle, it's my first post.  We currently have an ASA 5520 with 25 remost SSL VPN licenses.  We have also some 5510's unused.  Anyone know if the SSL licenses are transferable to the 5510 unused to the 5520 to increase the amount that the 5520 has?

    Thank you

    Alistair

    Unfortunately the licenses are not transferable to one ASA to another.

    Here is the URL for your reference:

    http://www.Cisco.com/en/us/docs/security/ASA/asa82/license/license82.html#wp194956

    second indent under the 'Guidelines and additional Limitations' section)

    Hope that answers your question.

  • Disable SSL VPN license

    Hello

    I have 2 5510 ASA and I'm in a pinch with needing a failover ASA to implement. I have an ASA test I put in as a firewall waiting in an active scenario / in sleep, and this ASA a user 10 SSL VPN license applied. My ASA primary I'll put this in place with only 2 standard user and fails it of Wizard config HA when I run through it. The message I get is "Test of compatibility of the license for many clientless SSL VPN peers has failed." How can I deactivate the license 10 user on my unit of analysis so I can bring it failover?

    The two ASA have a license of SecPlus.

    Thanks for any help,

    Brett

    Keep your current activation key you can reapply after your tests, and request a new activation key of [email protected] / * / unlicensed SSL VPN to test your failover.

  • SSL VPN license for ASA

    It must be an easy question - but I'm having a hard time finding an answer. How are the SSL VPN to the end user a license?

    Let's say I have 300 users, SSL, but only 20 concurrent SSL at any time. Do I need licenses for the 300 full or 20 competitors?

    Thank you

    Jim

    Hey Jim,.

    SSL licenses for only simultaneous connections. The only limitation you will encounter is how SSL sessions each platform supports (i.e. 750 concurrent sessions on an ASA5520).

  • ASA 5505 Security Plus license question

    Hi all!

    I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):

    The activation key running is not valid, using the default

    ......

    This platform includes a basic license.

    ......

    Unable to retrieve the activation key permanent flash

    I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?

    Thank you!!!

    -ken

    ciscoasa # sh - activation key

    Serial number: JMXXXXXXHU

    Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

    The activation key running is not valid, using the default settings:

    The devices allowed for this platform:

    The maximum physical Interfaces: 8 perpetual

    VLAN: 3 restricted DMZ

    Double ISP: Disabled perpetual

    Junction VIRTUAL LAN ports: perpetual 0

    The hosts on the inside: 10 perpetual

    Failover: Disabled perpetual

    VPN - A: enabled perpetual

    VPN-3DES-AES: disabled perpetual

    AnyConnect Premium peers: 2 perpetual

    AnyConnect Essentials: Disabled perpetual

    Counterparts in other VPNS: 10 perpetual

    Total VPN counterparts: 25 perpetual

    Shared license: disabled perpetual

    AnyConnect for Mobile: disabled perpetual

    AnyConnect Cisco VPN phone: disabled perpetual

    Assessment of Advanced endpoint: disabled perpetual

    Proxy UC phone sessions: 2 perpetual

    Proxy total UC sessions: 2 perpetual

    Botnet traffic filter: disabled perpetual

    Intercompany Media Engine: Disabled perpetual

    This platform includes a basic license.

    Unable to retrieve the activation key permanent flash.

    The permanent activation key flash is the SAME as the key permanent running.

    Hi Ken,

    If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.

    If you have lost the key, you'll want to open a support case to get it retrieved.

    Hope that helps.

    -Mike

  • ASA5510 must add 25 peer SSL VPN Licenses, NM found link in this message

    I just got my new ASA5510 and also an authorization key product for "ASA 5500 VPN 25 SSL peers License ', but I can't for the life of figure me out how to install these licenses. I tried to enter the key provided, but when I do the ASA returns an error "type 4 or 5 Tuple Activation-Key."

    Is there a place on the Cisco site, where I 'activate' this key for a licence to be installable on the SAA?

    https://Tools.Cisco.com/swift/licensing/PrivateRegistrationServlet

    Thank you

    Rick

    Once you put your code PAK page you mentioned, it will ask you to verify the end-user and your contact information. At the end of the process (step 4), you will receive an email with the activation key. Then just enter it on the SAA by using the command of activation key (detailed instructions will be present in the mail as well on how to do this).

    Please rate if useful.

    Concerning

    Farrukh

  • Calculation of SSL VPN license

    Hello

    I need to purchase licenses for my SSL VPN (AnyConnect) 2901 router, and I would like to know how it is affected.

    If I buy a license 10 users, it is up to the 10 named user, or it is counted by concurrent users?

    If a user connects from a laptop computer and a mobile phone at the same time, with the same username, it counted as 2 user license, or just one?

    Also, AFAIK, the AnyConnect Essentials license is only available to ASA and not IOS routers. Is that still OK?

    Thank you.

    The number of licenses using simultaneous connections, regardless of the associated user ID.

    75 connected both unique usernames or a different user connected of 75 endpoints name would be count as 75 licenses in use. Laptop more phone = 2 users if the connections are simultaneous.

    The Essentials vs Premium distinction is unique to the ASA. Premium features only as a clientless SSLVPN, hostscan etc are not available based on the IOS SSL VPN

  • SSL VPN license key

    Hello

    ASA with license essential SSL VPN offers full access to the business applications with CIsco Anyconnect client of tunneling. What kind of Protocol use this connection (full access)? ¿SSL or IPSEC?

    Thank you

    SSL

  • SSL VPN license

    Hello

    We have a customer with the ASA license.

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited
    VLAN maximum: 150
    Internal hosts: unlimited
    Failover: Active/active
    VPN - A: enabled
    VPN-3DES-AES: enabled
    Security contexts: 2
    GTP/GPRS: disabled
    SSL VPN peers: 2
    Total of the VPN peers: 750
    Sharing license: disabled
    AnyConnect for Mobile: disabled
    AnyConnect for Linksys phone: disabled
    AnyConnect Essentials: enabled
    Assessment of Advanced endpoint: disabled
    Proxy sessions for the UC phone: 2
    Total number of Sessions of Proxy UC: 2
    Botnet traffic filter: disabled

    But when I look at the Tracking tab of the VPN, they have 40 to 50 VPN SSL with client sessions active at any given time. Is this correct or does pass the license?

    Hello

    The license shows up, you can have 2 SSL VPN peers.

    the following link gives you all the details of the available licenses. Please choose according to your requirement.

    http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39_ns347_Networking_Solutions_Brochure.html

    Kind regards

    Anisha

    P.S.: Please mark this message as answered if you feel that your request is answered.

  • ASA 5505 host under license limit has been exceeded

    I'm receive syslog message 450001 - host license limit has been exceeded.

    To see the version on my ASA 5505 (8.0.2), inside hosts are limited to 10. The limit of 10 corresponds to the limit (10) syslog error message.

    How is this calculated number of hosts? Show arp represents 6 addresses glued to the inside interface.

    Hello

    Don't use "show arp", use "local host" instead.

    Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

    In routed mode, hosts inside (business and home VLAN) account in the limit only when communicating with the outside (Internet, VLAN).

    Internet hosts are not counted toward the limit. Also, guests who initiates the traffic between businesses and home are not counted toward the limit. The interface

    partner with the value default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are taken into account in the limit.

    In transparent mode, the interface with the smallest number of hosts is counted within the limits of the host. See the show local-host command to view the host

    limits.

    Kind regards

    Dandy

  • Cisco ASA AnyConnect SSL VPN - certificates + token?

    Hello

    I'm looking for an answer is it possible such configuration:

    The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

    I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

    Thank you very much for the help!

    Hi Alex,

    I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

    https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

    Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

    http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

    It may be useful

    -Randy-

  • ASA 5505 ASDM VPN connection problem

    Hello

    We are running a version of firewall ASA 5505 8.4 (4) 1. The ASDM version is 6.4 (9).

    The problem is when the creation of remote access VPN connection, it works fine for about 2-3 days.

    After that, the VPN client cannot connect more and gives the error code 789.

    In this case, the VPN clients are clients of Windows 7 from different remote networks with the same problem scenario.

    Windows 8.1 clients cannot connect at all and show the same error code...

    All connections go through the keys defaultragroup and preshare match on both sides.

    When the user to connect attemps I receive the following text in the log of the ASDM:

    6 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, P1 retransmit msg sent to the WSF MM
     
    5 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, in double Phase 1 detected package.  Retransmit the last packet.
     
    5 April 10, 2015 10:53:03 IP = 5.240.31.116, encrypted packet received with any HIS correspondent, drop
     
    When I implemented the remote login through ASDM I followed the instructions according to the following link:
     
    The steps were a little different, but almost the same, given that these instructions show an old version
     
    I'm interested in trying the steps according to this link but not sure this will help me solve the problem id:
     
    Any help would be appreciated!
    Thank you

    Hello

    If you use local authentication (user name and password on the SAA), so why you would need this threshold?

    tunnel-group DefaultRAGroup ppp-attributes
    No chap authentication
    ms-chap-v2 authentication
    !

    Remove it and try.

Maybe you are looking for