Cisco ASA 8.2 - anyconnect essentials

Experts

I need activate command anyconnect essentials in my configuration for webvpn.

When I do not show performance webvpn, I see:

No anyconnect essentials.

If I go to webvpn:

(config-webvpn) anyconnect essentials (then press enter) I get this error message:

Clientless currently active sessions: 3

After all without client sessions are disconnected, manually activate Anyconnect Essentials by using ASDM or "anyconnect-essentials" CLI under webvpn mode.

For some reason Java is dead and I can't run ASDM.

How do I disconnect the Clientless CLI sessions in order to add the command

"anyconnect essentials".

Thanks for your help!

vpn-sessiondb logoff ....

Tags: Cisco Security

Similar Questions

Would become Anyconnect essentials Premium AnyConnect vpn on asa

Dear team,

We have a pair of cisco ASA 5520 with version 8.2 (5) works well with active mode / standby. As the situation requires, we intend to change the SSL vpn to clientless SSL VPN (AnyConnect Premium) to anyconnect vpn with mobile clients (IOS & Android)

Please specify below

(1) I have read, we cannot have two Anyconnect Essentials & AnyConnect Premium on the same system time. We need to disable accordingly to our need-pl correct me?

(2) what is the best way to have the device for end-user client deployment? pushing of ASA or install individually on the system? Can I have the best, I mean the latest version of windows, client MAC e.t.c I shud get?

While pushing ASA LU that much memory cache will be used, since we have IPS (AIP - SSM) modules has also installed on ASA who shud method I adopt here?

(3) what is the exact product for license Anyconnect Essentials & customer name mobile (IOS & Android) we get from cisco?

(4) once I get the correct license how do I active in systems? should I remove the failover command and install the license in two devices separately?

(5) Finally, I need to authenticate vpn anyconnect essentials with LDAP that is already configured for clientless SSL VPN(AnyConnect Premium). any suggestions here?

Below the version Sh emitted by the devices, it seems essential Anyconnect is already active... Please correct me?

Active Firewall
===============

System image file is "disk0: / asa825 - k8.bin.
The configuration file to the startup was "startup-config '.

Material: ASA5520, 2048 MB RAM, Pentium 4 Celeron 2000 MHz processor
Internal ATA Compact Flash, 256 MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
Start firmware: CN1000-MC-BOOT - 2.00
SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Ext: GigabitEthernet0/0: the address is a493.4ca3.ce0a, irq 9
1: Ext: GigabitEthernet0/1: the address is a493.4ca3.ce0b, irq 9
2: Ext: GigabitEthernet0/2: the address is a493.4ca3.ce0c, irq 9
3: Ext: GigabitEthernet0/3: the address is a493.4ca3.ce0d, irq 9
4: Ext: Management0/0: the address is a493.4ca3.ce09, irq 11
5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 150
Internal hosts: unlimited
Failover: Active/active
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 2
GTP/GPRS: disabled
SSL VPN peers: 2
Total of the VPN peers: 750
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: enabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled

This platform includes an ASA 5520 VPN Plus license.

=====================================================

Firewall standby
================

Updated Saturday, May 20, 11 16:00 by manufacturers
System image file is "disk0: / asa825 - k8.bin.
The configuration file to the startup was "startup-config '.

Material: ASA5520, 2048 MB RAM, Pentium 4 Celeron 2000 MHz processor
Internal ATA Compact Flash, 256 MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)
Start firmware: CN1000-MC-BOOT - 2.00
SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Ext: GigabitEthernet0/0: the address is 6073.5cab.3fae, irq 9
1: Ext: GigabitEthernet0/1: the address is 6073.5cab.3faf, irq 9
2: Ext: GigabitEthernet0/2: the address is 6073.5cab.3fb0, irq 9
3: Ext: GigabitEthernet0/3: the address is 6073.5cab.3fb1, irq 9
4: Ext: Management0/0: the address is 6073.5cab.3fb2, irq 11
5: Int: internal-Data0/0: the address is 0000.0001.0002, irq 11
6: Int: internal-Control0/0: the address is 0000.0001.0001, irq 5

The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 150
Internal hosts: unlimited
Failover: Active/active
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 2
GTP/GPRS: disabled
SSL VPN peers: 2
Total of the VPN peers: 750
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: enabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled

This platform includes an ASA 5520 VPN Plus license.

Thank you

1 correct. You can run one or the other, but not both.

2 since you have the upgrade memory to 2 GB, you should be fine perform web deployment via the pkg file method.

3. for a 5520, you need:

L-ASA-AC-E-5520 =
L-ASA-AC-M-5520

.. .to the Essentials and Mobile licenses respectively.

4. on ASA 8.2, you need licenses for both units. If you upgrade to 8.3 + (8.4 (7) recommend at least), you can share licenses between members of a pair of HA. If you choose not to upgrade, just apply the key of activation on the rescue unit, then on the unit activates. You don't need to move on and in the failover configuration. Failover of the rescue unit status will show as ineligible briefly while he holds the new license is not the case of the active unit. Which will be resolved after you have applied the same license on the main unit. (If you were on 8.3 + would not happen at all).

5. simply create a new connection profile for customers of Essentials by using the same AAA server group.

NAC and ASA AnyConnect Essentials

If you have the Essentials AnyConnect VPN license - the ASA is able to do all of the NAC such as searching the registry value or check his firewall definitions are up-to-date? Thank you.

With an AnyConnect Essentials license is activated, without client feature WebVPN, Cisco Secure Desktop (CSD) and assessment of Advanced endpoint is disabled. For this reason, you won't be able to make the registry checks, check the antivirus updates, etc..

AnyConnect VPN for Cisco ASA 5505 refused connections

I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:

interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any any

access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable

group-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn

policy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!

When I try to connect, I get this error in the real-time log viewer:

TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

Here are the details of the license:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has a Base license.

Can someone tell me what I am doing wrong or what access list I'm missing?

I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

Hi Matt,

You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

WebVPN

tunnel-group-list activate

Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

HTH

Herbert

Cisco Anyconnect Essentials License - What is it

Hello community.

I managed to install an ASA with Anyconnect. The Anyconnect client on my laptop works very well.

But why now to buy a Cisco Anyconnect Essentials License, what exactly is this license?

AnyConnect works fine without this license.

But I can not connect with my IPhone with the Cisco Anyconnect for Iphone App. should I buy the Anyconnect for Mobile license and this license just for a single device or all devices. Because this license is really cheap. Cisco licenses normally are expensiv.

Thank you and best regards patrick

If you have not all AnyConnect Premium licenses, then you are limited to two simultaneous connections if you do not have the license of anyConnect Essentials. You are right, for i-devices (and Android...) you need the AnyConnect Mobile license.

AnyConnect Essentials both AnyConnect Mobile are approved by ASA, not user connections. And AnyConnect Mobile needs AnyConnect essential or Preimium AnyConnect license must be activated.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Cisco ASA AnyConnect SSL VPN - certificates + token?

Hello

I'm looking for an answer is it possible such configuration:

The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

Thank you very much for the help!

Hi Alex,

I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

It may be useful

-Randy-

Cisco ASA 8.0.4 AnyConnect works do not with Vista and IE7

Hello

I currently have a Cisco ASA 5520 with the latest version of the Software ASA/AMPS/Anyconnect. However I can't get Vista and IE7 to connect using the free client anyconnect VPN error message following appears

"Setup could not start the Cisco VPN Client".

Is there a workaround for this.

Thanks in advance

Eoin

I'm glad you got it working :)

Please evaluate the positions if find you them useful.

Concerning

Farrukh

How Anyconnect VPN users will connect with cisco ASA, which uses the server (domain controller) Radius for authentication

Hi team

Hope you do well. !!!

currently I am doing a project which consists in CISCO ASA-5545-X, RADIUS (domain controller) server for authentication. Here, I need to configure Anyconnect VPN and host checker in cisco asa.

1 users will connect: user advanced browser on SSL VPN pop past username and password.

2. (cisco ASA) authentication: VPN sends credentials to the RADIUS server.

3 RADIUS server: authentication: receipt and SSL VPN (ASA) group.

4 connectivity creation: If employee: PC so NAW verified compliance, no PC check Assign user to the appropriate role and give IP.

This is my requirement, so someone please guide me how to set up step by step.

1. how to set up the Radius Server?

2. how to configure CISCO ASA?

Thanks in advance.

Hey Chick,

Please consult the following page of installation as well as ASA Radius server. The ASA end there is frankly nothing much difference by doing this.

http://www.4salesbyself.com/1configuring-RADIUS-authentication-for-webvp...

Hope this helps

Knockaert

Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.

We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups. It works, but it works too well.

We have a group called XXX we need to have access to the Cisco AnyConnect Client. We have selected this group of our Active Directory and added to our ACS configuration. We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.

We added XXX movies for the elements of the policy of access to the network-> authorization profiles. We also have a profile of YYY.

She continues to knock on our default Service rule that says allow all.

We have also created a default network access rule. for this.

I am at a loss. I'm sure I missed a checkbox or something.

Any help would be really appreciated.

Dwane

We use Protocol Management GANYMEDE ASA and Ray for VPN access?

For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.

On the SAA, you must configure Ganymede and Ray both as a server group.

For the administration, you can set Ganymede as an external authentication under orders aaa Server

AAA-server protocol Ganymede GANYMEDE +.

Console HTTP authentication AAA GANYMEDE

Console Telnet AAA authentication RADIUS LOCAL

authentication AAA ssh console LOCAL GANYMEDE

Console to enable AAA authentication RADIUS LOCAL

For VPN, you must set the authentication radius under the tunnel-group.

I hope this helps.

Kind regards

Jousset

The rate of useful messages-

licenses for a cisco ASA active/passive pair AnyConnect SSL

Hi all. I buy 2 5512 x ASAs is configured like a pair of active/passive as a VPN device. I need to purchase licenses for both devices anyconnect? Thank you

Licenses AnyConnect Essentials (or premium) are combined on a cluster failover ASA. Reference

So, buy once only the quantity and type of licenses you need based on your end users - not based on the number of ASAs - and they will be available at the ASA Active whether primary or secondary unit.

Issue of Cisco ASA 5505 Anyconnect Client NAT'ing

Hello

We have a split_tunnel RA Vpn configuration in a branch that works very well in all areas except the destinged of traffic for a specific website using https. This provider does not allow HTTPS connections to bring some outside IP addresses.

Essentially, this should work like this:

RAVPN_client (10.4.4.0/27)--> https request to the (208.x.x.x) vendor_ip---> ASA55XX--> NAT_to_outside_ip--> to the vendor_ip (208.x.x.x) https request

I need to understand how you would approach from ONLY this https traffic specific to the RA VPN without having to change the installer otherwise.

Internal hosts (aka behind the ASA physically) have not any question at this site, as would his nat ip address outside that we expect.

Here is what we use for the NAT Exemption it list 10.2.2.x, 192.168.100.x, and 172.23.2.x are other remote sites we have. The 10.4.4.0/27 RA VPN users don't have no problems connecting to them, regardless of the Protocol:

Note to inside_nat0_outbound access-list of things that should not be Nat would

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 10.2.2.0 255.255.255.0

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.100.0 255.255.255.0

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 172.23.2.0 255.255.255.0

access extensive list ip 10.12.1.0 inside_nat0_outbound allow 255.255.255.0 10.4.4.0 255.255.255.224

access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 192.168.100.0 255.255.255.0

access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 10.2.2.0 255.255.255.0

access extensive list ip 10.4.4.0 inside_nat0_outbound allow 255.255.255.224 172.23.2.0 255.255.255.192

Here is the list of interesting traffic that we push to the customers through the tunnel of the VPN connection.

VPN_splitunnel to access extended list ip 192.168.100.0 allow 255.255.255.0 any

VPN_splitunnel of access list scope 10.2.2.0 ip allow 255.255.255.0 any

Access extensive list ip 10.12.1.0 VPN_splitunnel allow 255.255.255.0 any

Access extensive list ip 172.23.2.0 VPN_splitunnel allow 255.255.255.192 all

Access extensive list ip 10.4.4.0 VPN_splitunnel allow 255.255.255.224 all

VPN_splitunnel list extended access permit ip host 208.x.x.x any newspaper<- this="" is="" the="" vendors="" external="" ip="" address="" (obfuscated="" for="" security="" but="" you="" get="" the="">

Here's the rest of the nat configuration:

NAT-control

Overall 101 (external) interface

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 101 0.0.0.0 0.0.0.0

Configuring VPN RA:

IP mask 255.255.255.224 local pool VPNPool 10.4.4.5 - 10.4.4.30

WebVPN

allow outside

AnyConnect essentials

SVC disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1 image

SVC disk0:/anyconnect-macosx-i386-2.5.2001-k9.pkg.zip 2 image

enable SVC

tunnel-group-list activate

internal RAVPN group policy

RAVPN group policy attributes

value no unauthorized access to banner

value of banner that all connections and controls are saved

banner of value this system is the property of MYCOMPANY

banner value disconnect IMMEDIATELY if you are not an authorized user.

value of server WINS 10.12.1.11 10.2.2.11

value of 10.12.1.11 DNS server 10.2.2.11

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list VPN_splitunnel

type tunnel-group RAVPN remote access

attributes global-tunnel-group RAVPN

address pool VPNPool

authentication-server-group NHCGRPAD

Group Policy - by default-RAVPN

tunnel-group RAVPN webvpn-attributes

enable RAVPN group-alias

Can someone ' a Please direct me as to what I'm doing wrong? I was assuming that since I don't have Ip 208.x.x.x address in the list of inside_nat0_outbound that it would be NAT had, but appears not to be the case (out of packet - trace below)

Packet-trace entry outside tcp 10.4.4.6 34567 208.x.x.x detailed https

*****************************************************************************

Phase: 1

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 0.0.0.0 0.0.0.0 outdoors

Phase: 2

Type: ACCESS-LIST

Subtype: Journal

Result: ALLOW

Config:

Access-group outside_access_in in interface outside

outside_access_in list extended access permitted ip VPN_ips 255.255.255.224 host 208.x.x.x Journal

Additional information:

Direct flow from returns search rule:

ID = 0xd7bd3b20, priority = 12, area = allowed, deny = false

Hits = 2, user_data is 0xd613bf80, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = VPN_ips, mask is 255.255.255.224, port = 0

IP = 208.x.x.x DST, mask = 255.255.255.255, port = 0, dscp = 0 x 0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xd7df8fa0, priority = 0, sector = inspect-ip-options, deny = true

hits = 2256686, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xd87c8fc8, priority = 12, area = ipsec-tunnel-flow, deny = true

hits = 550, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xd7dfbd28, priority = 0, domain = host-limit, deny = false

hits = 1194, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0xd7df8fa0, priority = 0, sector = inspect-ip-options, deny = true

hits = 2256688, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 0.0.0.0 mask 0.0.0.0, port = 0 =

DST ip = 0.0.0.0 mask = 0.0.0.0, port = 0, dscp = 0 x 0

Phase: 7

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 2380213 id, package sent to the next module

Information module for forward flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Information for reverse flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input interface: outdoors

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

*****************************************************************************

Thank you

Jason

You are on the right track with you divided the tunnel configuration. You need to add is the pool of Client VPN to be coordinated to your external ip address, IE: same as your local users of the ASA when he tries to access the intellectual property of the provider (208.x.x.x), allowing more traffic in and out of the same interface for traffic of U-turn.

Here's what you need to set up:

permit same-security-traffic intra-interface

nat-to-vendor ip 10.4.4.0 access list permit 255.255.255.224 host 208.x.x.x

NAT (outside) 101-list of nat-to-vendor access

The foregoing will allow VPN pool to be coordinated to your ASA outside the ip address of the interface when accessing the seller (208.x.x.x).

1 small correction to your ACL split tunnel:

-The following line is incorrect and should be deleted in the tunnel of split ACL:

Access extensive list ip 10.4.4.0 VPN_splitunnel allow 255.255.255.224 all

(As 10.4.4.0/27 is your pool of Client VPN, you do not add these subnet to your list of split tunnel. List of Split tunnel are only the network that you are difficult to access and sent through your VPN tunnel).

Hope that helps.

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

HA possibility of twinning? two ASA5520s, one with Anyconnect Essentials with Anyconnect more licenses - can these two equivalent license types HA pair successfully?

I have two ASA5520s... we have 750 Anyconnect Essentials licenses and the other 750 Anyconnect more licenses.

These can two successfully pair HA or I need to have both on the same exactly the type of license? that is the two Anyconnect more...

Thank you!

HAL

Hi hmcandrew,

As far as I know, you need to require one of the ASA on the other to run in failover mode.

Maybe if you run them in a private network virtual-balancing of the load in place, they will be able to work, but it will not give you HA.

Please see the following link for more information:

https://supportforums.Cisco.com/document/67701/ASA-versions-image-names-...

Please rate if you find this information useful.

Kind regards

-Javier-

License AnyConnect disables AnyConnect essentials

Is this correct? It does not seem right. I bought a mobile Anyconnect license to add to my ASA 5505, who already had active Anyconnect Essentials.

I received the watch activation key that I would go to:

 License : Base Max Physical Interfaces : 8 VLANs : 3, DMZ Restricted Dual ISPs : Disabled Trunk Ports : 0 Failover : Disabled Inside Hosts : 50 VPN DES Encryption : Enabled VPN 3DES and AES Encryption : Enabled VPN Peers : 10 SSL VPN Peers : 2 Shared SSL VPN licensing : Disabled AnyConnect Mobile : Disabled Linksys VPN Phone : Disabled AnyConnect Essentials : Enabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2 UC Phone Proxy Sessions : 2 Botnet Traffic Filter : Disabled

TO:

 Inside Hosts : 50 Failover : Disabled Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : Default GTP/GPRS : Disabled AnyConnect Premium Peers : Default Other VPN Peers : Default Advanced Endpoint Assessment : Disabled AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Disabled Shared AnyConnect Premium License server : Disabled Shared License : Disabled UC Phone Proxy Sessions : Default Total UC Proxy Sessions : Default AnyConnect Essentials : Disabled Botnet Traffic Filter : Disabled Intercompany Media Engine : Disabled Cluster License : Disabled vCPUs : 0

The Mobile license should not disable Essentials. That could be a mistake made by the license server.

I recommend to open a TAC case and urging them to please put in the queue for license Global (GLO) operations. Request GLO re - issue an activation key which includes your already approved essentials.

License of IPSec Cisco ASA

Dear all,

I want to know how much maximum IPSec connection allowed in my Cisco ASA 5505.

I want to try VPN L2TP Mac and PC

TQ

The devices allowed for this platform:
The maximum physical Interfaces: 8 perpetual
VLAN: 20 unrestricted DMZ
Double ISP: Activated perpetual
VLAN Trunk Ports: 8 perpetual
Guests of the Interior: perpetual unlimited
Failover: Active / standby perpetual
Encryption - A: enabled perpetual
AES-3DES-Encryption: activated perpetual
AnyConnect Premium peer: 25 perpetual
AnyConnect Essentials: 25 perpetual
Counterparts in other VPNS: 25 perpetual
Total VPN counterparts: 25 perpetual
Shared license: activated perpetual
AnyConnect for Mobile: activated perpetual
AnyConnect VPN phone Cisco: activated perpetual
Assessment of Advanced endpoint: activated perpetual
Proxy UC phone sessions: 24 perpetual
Proxy total UC sessions: 24 perpetual
Botnet traffic filter: activated perpetual
Intercompany Media Engine: Disabled perpetual
Cluster: Disabled perpetual

With this device you can have 25 concurrent VPN sessions, regardless of the type.

Cisco ASA 8.2 - anyconnect essentials

Similar Questions

Maybe you are looking for