5505 Anyconnect essentials license clarification please
Have a "base" 5505 with the upgrade to 50 inside hosts.
I just added the ASA-AC-E-5505 25 Anyconnecr Essentials license key to that unit.
The show version now shows Anyconnect Essentials enabled, but the "total VPN Peers" is still at 10.
Do I have the ability to have 25 Anyconnect clients connect to my network? or am I limited to 10?
I have read many threads, but just get more and more confused.
Thanks
DWNewman
Hi Dennis,
Just to add to what Naresh said, the other VPN is for IPsec VPN (Site to Site or Remote Access).
After adding the key if you check the show version you would see something like this:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect Essentials : Enabled
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 100 perpetual
Total UC Proxy Sessions : 100 perpetual
YOu can also check the same by show vpn-sessiondb summary
Thanks
Jeet Kumar
Similar Messages
-
Sorry if this question has been asked, i couldnt find an answer anywhere.
I have an ASA5520 with Anyconnect Essentials enabled, I want to replace this FW with an ASA5540 can I migrate the Anyconnect Essentials license?
ThanksIn general the license of an ASA is tied to the serial number of the ASA. This means that there is not an easy way to migrate a license from one ASA to another. In the case of an RMA there is a way that TAC can move the license.
It might be worth asking whoever is providing the ASA5540 if they can work out anything about the license. In the case of a purchase there might be some possible concession on license provisioning. But in general when you get a new ASA you need to get a new license.
HTH
Rick -
Cisco Anyconnect Essentials License - what does this
Hello Communtiy.
I have successfully installed an ASA with Anyconnect. The Anyconnect client on my laptop works great.
But why should i now buy an Cisco Anyconnect Essentials License, for what exact is that license ?
Anyconnect works great without that license.
But i cant connnect with my IPhone with the Cisco Anyconnect for Iphone app. Should i buy the Anyconnect for Mobile license, and is this license just for one device or for all devices. Because that license is really cheap. Normaly Cisco licenses are expensiv.
Thanks and kind regards patrickIf you don't have any AnyConnect Premium licenses, then you are restricted to two simultanious connections if you don't have the anyConnect Essentials license. And you are right, for i-devices (and Android and ...) you need the AnyConnect Mobile license.
Both AnyConnect Essentials and AnyConnect Mobile are licensed per ASA and not per concurrent user/connection. And AnyConnect Mobile needs an AnyConnect Essential or an AnyConnect Preimium License to be activated.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
I have a 5505 that is on asa code version 8.0(4) and has security plus license. I would like to put the essentials license on it but I have read that the asa needs to be on code version 8.2 or above per this link:
https://supportforums.cisco.com/docs/DOC-13424
However, when i have ordered the licenses in the past it always comes with 2 activation keys, one for 8.2 and above and one for below version 8.2. Here is what it says in the e-mail i get with the activation key:
THE FOLLOWING ACTIVATION KEY IS VALID FOR:
ALL ASA SOFTWARE RELEASES, BUT EXCLUDES ANY
8.2+ FEATURES FOR BACKWARDS COMPATIBILITY.
What are the features that are not included if the asa is on code versions earlier than 8.2?
Thanks!Benjamin,
The license is actually for version earlier than 8.2.
"ALL ASA SOFTWARE RELEASES, BUT EXCLUDES ANY 8.2+ FEATURES"
So you can install it just fine if you are running 8.0.4
Regards,
Felipe. -
Firewall Cisco ASA 5505 new interface license problem
Hi
I have one ASA 5505 with a Base License
The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
And the question is if with this base license the interface cannot be used or only cannot be named?
here the output of my firewall:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is e02f.6de6.7843, irq 11
1: Ext: Ethernet0/0 : address is e02f.6de6.783b, irq 255
2: Ext: Ethernet0/1 : address is e02f.6de6.783c, irq 255
3: Ext: Ethernet0/2 : address is e02f.6de6.783d, irq 255
4: Ext: Ethernet0/3 : address is e02f.6de6.783e, irq 255
5: Ext: Ethernet0/4 : address is e02f.6de6.783f, irq 255
6: Ext: Ethernet0/5 : address is e02f.6de6.7840, irq 255
7: Ext: Ethernet0/6 : address is e02f.6de6.7841, irq 255
8: Ext: Ethernet0/7 : address is e02f.6de6.7842, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledHi,
The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
For an interface on the ASA to operate it must have a name with the command "nameif"
If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
- Jouni -
ASA5510 Security Plus + Anyconnect Essentials = BASE?
Recently upgraded a 5510 to Anyconnect Essentials and Anyconnect Mobile, the device was Security Plus and is now Base. Is it supposed to work this way? I lost my Gigabit interfaces. Is it possible to have Security Plus + Anyconnect Essentials?
I'm sure this should be OK.
I had a similar problem with an ASA 5505 that had been upgraded to Sec Plus and subsequently Anyconnect Mobile. TAC were able to sort it out very rapidly and issue the correct license file. -
Cisco ASA 5505 AnyConnect SSL VPN problem
Hi!
I have a small network, wiht ASA 5505, 8.4:
Inside network: 192.168.2.0/24
Outside: Static IP
I would like to deploy a SSL AnyConnect setup.
The state:
-I give the correct IP from my predefined VPN pool (10.10.10.0/24).
But, could not reach any resource, could not ping too. My host has given 10.10.10.1 IP, and I had a GW: 10.10.10.2. Where is this GW from?
Could you help me?
Here is my config (I omitted my PUBLIC IP, and GW):
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname valamiASA
domain-name valami.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address MY_STATIC_IP 255.255.255.248
interface Vlan12
description Vendegeknek a valamiHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
management-only
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name valami.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool valami_vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 MY_STATIC_GW 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_valami_VPN internal
group-policy GroupPolicy_valami_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value valami.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group valami_VPN type remote-access
tunnel-group valami_VPN general-attributes
address-pool valami_vpn_pool
default-group-policy GroupPolicy_valami_VPN
tunnel-group valami_VPN webvpn-attributes
group-alias valami_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d54de340bb6794d90a9ee52c69044753
: endFirst of all thanks your link.
I know your notes, but i don't understand 1 thing:
if i check nat exemption in the anyconnect wizad, why should i make nat exemption rule?
A tried creating a roule, but it is wrong.
My steps (on ASDM):
1: create network object (10.10.10.0/24), named VPN
2: create nat rule: source any, destination VPN, protocol any
Here is my config:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname companyASA
domain-name company.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address 77.111.103.106 255.255.255.248
interface Vlan12
description Vendegeknek a companyHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name company.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object network WEBSHOP
host 192.168.2.2
object network INSIDE_HOST
host 10.100.130.5
object network VOIP_management
host 192.168.2.215
object network Dev_1
host 192.168.2.2
object network Dev_2
host 192.168.2.2
object network RDP
host 192.168.2.2
object network Mediasa
host 192.168.2.17
object network VOIP_ePhone
host 192.168.2.215
object network NETWORK_OBJ_192.168.4.0_28
subnet 192.168.4.0 255.255.255.240
object network NETWORK_OBJ_10.10.10.8_29
subnet 10.10.10.8 255.255.255.248
object network VPN
subnet 10.10.10.0 255.255.255.0
object network VPN-internet
subnet 10.10.10.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool company_vpn_pool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static VPN VPN
nat (inside,outside) source static inside-net inside-net destination static VPN VPN
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 77.111.103.105 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_company_VPN internal
group-policy GroupPolicy_company_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelall
default-domain value company.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 62.112.192.4 195.70.35.66
vpn-tunnel-protocol ssl-client
default-domain value company.local
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group company_VPN type remote-access
tunnel-group company_VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_company_VPN
tunnel-group company_VPN webvpn-attributes
group-alias company_VPN enable
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:33ee37a3722f228f9be9b84ef43f731e
: end
Could you give me a CLI-code?
(or ASDM steps). -
AnyConnect Essentials lincensing on ASA5510 in HA
Hi guys,
Can someone help me with info regarding licensing.
Got 2 pairs of HA ASAs and didn't manage to find the answer - 2(per pair) or 4(for each one) licenses are needed.
The ASAs are in Active/Standby mode.
Just don't want to be in position if one of the ASAs fail the Anyconnect clients to lose functionality.
Also is reboot required after entering the licenses?
Thank you very much in advance.
Regards,
NikolayStarting with ASA v8.3 the ASAs in HA don't need the same licenses. So you only need one AnyConnect Essentials per Cluster. But if you are running v8.2 or lower, you need one license per ASA.
For the activation of AnyConnect Essentials, no reboot is required.
Sent from Cisco Technical Support iPad App -
Strange Behavior for web deployment of Anyconnect essentials
We've got a weird problem that has popped up and we've been unable to figure out what's going on.
We have instructed our user community to start their VPN sessions by connecting to our ASA 5520 with a browser to download (if necessary) and initiate the Anyconnect essentials VPN client. Everything was working fine until a few days ago.
We have had several people report the same problem. They connect with the browser, enter their login information and are greeted with our "authorized use only" message by the ASA. Then, instead of downloading (if necessary) and starting the VPN client software, the web page just goes back to the login prompt without displaying any error message. The client software is never downloaded or started.
We've been able to work around this by installing the client software manually (where necessary) and starting the VPN client from the start menu. However, this isn't our preferred solution because this method won't have them automatically picking up updated versions of the VPN client.
We have seen this behavior before when there was a pending Java update that had not been applied. However, that doesn't seem to be the case this time. Clients have recently updated to IE9, but I have personnally been running the Anyconnect client and launching through IE9 for months.
Any ideas about what's wrong or how to debug this?
Thanks
PatrickHi Patrick,
Ideally, when you have Anyconnect Essentials enabled on the ASA, you cannot get access to the Clientless VPN (Web Portal access to the internal resources) however the Web Launch of the Anyconnect client does work with it.
I see that you have implemented this a different way (workaround) by manually installing the Anyconnect VPN clients on the machines and then trying to connect it to the ASA, which works and this means that configuration on the ASA for allowing the Anyconnect connection is correct. Now it is not allowing you to launch it from the web portal on machines which means the download access has been restricted somewhere on the ASA.
Could you please follow these two steps and let me know if you see something different.
1. Get access to the ASDM and follow this: Configuration>>Remote Access>>Anyconnect>>Edit the tunnel-group on which you connection is landing>>Login setting. Please check if it says go to the clientless portal or launch Anyconnect. It has to be Download Anyconnect automatically.
2. If you are not getting the prompt for the username and password on the webportal then go to Configuration>>Remote Access>>Clientless (not sure if it is under Anyconnect or clientless, please check both) where you get option: shut down portal login on the main page. Please make sure that it is unchecked.
In your case I see that the users are getting prompt for the username and password however when you authenticate yourself you are getting error message: authorized use only then it could be something to do with the DAP Policies (dynamic access policy).
Go to the dynamic access policies and you will get an option named as Anyconnect (please check if the correct option is checked under the same). If multiple dap policies are configured then please check the dap policy which gets pushed when the user logs in and make changes to that specific dap policy.
Please let me know if this help else I would request you to open a TAC request and we will look into this issue. If you find something different then please share here.
Thanks,
Vishnu Sharma -
VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)
Hi, I've been pulling my hair out trying to get simple vlan trunking working between these devices.
Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200. I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc). Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
VLAN 1 - inside (has separate dhcp scope assigned by ASA)
VLAN 99 - guest (has separate dhcp scope assigned by ASA)
SG200
purpose
ASA 5505 (Sec Plus license)
purpose
g2
Trunk 1UP,99T
Ubiquiti AP (VLAN 1 works, VLAN 99 does not
g3
Access port 99T
vlan 99 does not work
g8
Trunk 1UP, 99T
< Trunk between switch and ASA >
Int e0/2
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Int e0/3
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Second ubiquiti AP
Both VLAN 1 and VLAN 99 clients work properlyFrustrated - yes. Confused - maybe not as much, but I could have put some more effort into the overall picture.
There are two VLANs (1 - native) and (99 - guest). There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.
No clients connected to the SG200 on VLAN 99 are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP. The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
Anything connected to the SG200 on the native VLAN works properly.
Anything connected to the ASA VLANs (1 or 99) works properly
I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
SG200 g2 - trunk port (1UP, 99T) -- Access Point
SG200 g2 - access port (99U)
SG200 g8 - trunk port (1UP, 99T) connected to ASA5505 e0/3
ASA5505 e0/3 (switchport trunk allowed vlan 1,99, switchport trunk native vlan 1, switchport mode trunk)
Thanks, -
We are using Windows Server 2012 Standard installed in VMWare / Virtual machine and to access this we use vSphere client and Remote Desktop Connection / service was already enabled and was working fine with User PCs / laptops remote desktop into the server
2012, until it gave an error message of: Remote session was disconnected because there are no remote desktop license servers available to provide a license. Please contact the server administrator. whilst logging into the server.
We DON'T use Active Directory nor and we don't use domain and not looking to use it any-time soon.
I checked the RD Licensing Diagnoser and it says the grace period has expired and the licensing mode for the remote desktop session host server is not configured. I have checked the Remote Desktop Gateway has been stopped and I tried to start it and it
resumed to stop, here I assume its where the licensing part comes in to re-enabled this.
I have been trying to follow these articles online: http://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/ and http://www.concurrency.com/blog/rds8-add-a-licensing-server-2/#Install the overview part that I cannot get into,
because I think we have to be is AD DS for this which we don't. Is there a way around this for non domain / just standalone set-up? Is it a must / requirement we need to be in a domain in order for Remote Desktop Connection to work?
Also, we have a Windows Server 2012 RDS CALs - 10 (software and licence key), will the licence key work for the Windows 2012 Server Standard? We do not want to install the other Server mentioned which comes with CAL / licence key as its time consuming
to reinstall other programs. I have installed Server role service of Remote Desktop Licencing and automatically installed other associated services needed. in the RD Licencing Manager, the Server had a red cross and I "Activate Server"
where I followed: http://www.concurrency.com/blog/rds8-add-a-licensing-server-2/#Install in Install Licences section and I have used the licence key of CAL - 10 mentioned above; it stated I have successfully completed the install licences wizard and displayed:
10 Windows Server 2012 - RDS Per User CAL installed, and in the RD Licensing Manager the server turned into a green tick and added the licence.
I then tested the Remote desktop connection from my PC and the same error message was there and checked the RD Licensing Diagnoser and the same error messages was there. I haven't restart the services of Remote Gateway / the server itself; do I really
need to reboot server?
Any advice / guidance would be very much appreciated and this is a urgent matter.
Thank you for your time.Hotfix Released here:
http://support.microsoft.com/kb/2916846 -
Hi,
I started to run the Weblogic Server on my machine yesterday and I suddenly got
this error:
"License Expired, Please Contact BEA Systems Inc"
This is the message I got on the Visual Age Console:
"Invalid BEA WLS Integration Kit License. Please cantact BEA"
I was able to run Weblogic Server until the past 2 weeks. I tried to re-install
the whole Visual Age 3.5
and as well as the Integration Kit I download from the Weblogic website and I
still get the same
problem. Can somebody help me with this. I haven't upgraded to 3.5.3 yet.
Thanks
SameeraSameera,
The Kit available from the BEA website is an evaluation version. You need to
contact BEA Sales for a permanent license.
Thanks,
Nirav.
Sameera Balay wrote:
Hi,
I started to run the Weblogic Server on my machine yesterday and I suddenly got
this error:
"License Expired, Please Contact BEA Systems Inc"
This is the message I got on the Visual Age Console:
"Invalid BEA WLS Integration Kit License. Please cantact BEA"
I was able to run Weblogic Server until the past 2 weeks. I tried to re-install
the whole Visual Age 3.5
and as well as the Integration Kit I download from the Weblogic website and I
still get the same
problem. Can somebody help me with this. I haven't upgraded to 3.5.3 yet.
Thanks
Sameera--
Nirav Chanchani
BEA Systems, Inc. -
I work for a University. We've purchased a few copies of Adobe Acrobat Pro XI boxed software. It's been working great all along. Now, it won't work at all. Error as follows:
"The serial number you entered has expired.This product cannot be licensed. Please contact Customer Support. Provide a serial number."You need to do what it says... contact Adobe Customer Support. We can't help for two reasons (a) we are not Adobe staff (b) even if we were, we can't examine private serial numbers in a public forum.
When you contact them, best to have all the paperwork from the original purchase in case there are difficulties with a supplier etc. -
Hi,
I have been using Windows server 2012 at my company and generally take a remote access to this server. However, since last few days, I have been receiving the Error "The remote connection was disconnected because there are no Remote Desktop License
Servers available to provide a license. Please contact the server administrator".
My entire work has come to a halt because of this error as all my applications are running this server and their remote access is needed for my regular requirements.
I had tried one of the solutions proposed at one of these forums especially using gpedit.msc but to no avail.
Regards,
AdityaHi Aditya,
Thank you for posting in Windows Server Forum.
Agree with the words of armin, please verify that you have properly installed correctly. Verify RDS Licensing service running on License Server. Verify that the client, the RDS server, and the license server can communicate by ensuring that Domain Name System
(DNS) is configured correctly on each computer. You can run the ping command from each computer to each computer using the IP address, FQDN, and the NetBIOS name. If any of the ping commands fail, verify the DNS configuration on the network.
In addition, you can also try “GracePeriod” registry setting on this path (HKLM\System\CurrentControlSet\Control\Terminal Server\RCM) from
this article.
Hope it helps!
Thanks.
Dharmesh Solanki -
Server 2012 + CALs License Clarifications
Dear ALL,
I need some clarifications in licensing to provide the appropriate
solution to my customer.
One of my customer purchased Dell Server with preloaded
Windows Server 2012 OS (Standard Edition) from us(from my company) to replace the
existing server which has windows server 2003.
Now the thing is customer want to transfer/migrate their Server CALs and
Terminal Server CALs of Server 2003 to Server 2012.
But Is that possible to transfer/migration of CALs from server 2003 to 2012?
In case of not possible,
Can I suggest windows server 2003 to install as virtual OS in Hyper-V
to use their existing CAL?
And is there any additional license is required to use server 2003 in
Hyper-V?
Expecting your valuable answer/solution.
Thanks in advance.I would recommend contacting a Microsoft Licensing specialist to get details about your questions.
Please note that Windows Server 2003 will be not supported soon. So, I would recommend upgrading to a higher OS whenever it is possible.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
Maybe you are looking for
-
HTTP to ABAP Proxy - Problem with "Current User" parameter
Hi experts, We have a HTTP to ABAP proxy sceario, where I used an HTTP Destination to connect to the proxy. We're trying to use the option "Current User" in that destination in order to login to ECC with the same user that in PI adapter plain. The us
-
Getting the standard Notes App for Mac
My ipad and iphone have the notes app. How do i get notes on my Mac? It is not available in the Mac AppStore and I can not find it among the apps included with the Mac. I have Mobile Me but I can't sync my notes only the contacts and calendar.?
-
Cant move music to my Iphone with OS5
I cant drag music to my iphone no more with this new os5.. I tried to syce it and it fails.. anybody have a tutorial on how this is done??
-
Error BFFF009E, using any Labview serial port example, on Windows 2000
I am using LabView 7 Express on a Windows 2000 computer. I have tried all the examples provided (loop back, Basic_Serial_Write_and-Read.vi, .... All the examples result in an immediate error of BFFF009E.
-
FMSMaster -console fails on assert
I am trying to use FMSMaster -console -initialize to install the windows ssl certificate store on FMS 3.0 Development version but I get an error when trying to run FMSMaster -console. The error that I receive is as follows: TimeResolutionImpl::set<00