Activating any connect license on ASA

Similar Messages

• How to identify the number of unique active users/connections on PIX/ASA

  Hi,
  Is it at all possible with SNMP or other tools to identify the unique number of connections on PIX or ASA. I’m not referring to the number of session or the results of “show conn count” but rather something similar to what “show local host” command will provide.
  Thanks in advance

  Hi,
  If  you are looking for SNMP OIDs to get 'show local-host' output from ASA, please try the following OIDs and check if you are getting the relevant outputs :
  1.3.6.1.4.1.9.9.147.1.1.1.2.1.5.        cfwBasicConnectionEventType
  1.3.6.1.4.1.9.9.147.1.2.2.2.1.3.        cfwConnectionStatDescription
  1.3.6.1.4.1.9.9.147.1.2.2.2.1.4.        cfwConnectionStatCount
  1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.        cfwConnectionStatValue
  Thanks

• Disabling Any connect in Cisco ASA's

  what is the best way to disable anyconnect in the Cisco ASA's.
  Thanks

  The quickest way to disable a remote access SSL VPN (the most common type by far when using Anyconnect clients) is to turn off webvpn ("no webvpn") in configure mode.

• Demo license for the any connect mobilee

  Hello Team,
  Actually we want to  do the testing to connect mobile device to our organisation (for jabber) .
  That required any connect license in ASA ,is there any option we can get the Demo license for the any connect Mobile
  Thanks in Advance 

  Cisco does not offer a demo license for AnyConnect for Mobile. The activation key for that license is not time limited and nothing would prevent you from installing it and then using it forever in production.
  That said, it's not very costly to purchase - no more than a couple hundred US$, depending on your ASA model.

• Asa in active/active vpn solution licensing question

  Hello All
  I have a customer with the following requirements:
  1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
  a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
  2) User  licenses for the above - Please quote for both the following
  a. 500 appropriate SSL VPN User Licenses
  b. 250  appropriate SSL VPN User Licenses
  I am quoting them for the 500 ssl vpn bundle
  ASA5520-SSL500-K9 and for the
  ASA5520-BUN-K9.
  Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
  Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
  http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
  Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
  Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
  Also “Failover  Guidelines
  •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
  I also need to purchase the
  ASA-ADV-END-SEC and
  ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
  Do I need to buy this for both asa's or can they share them in active/active mode.
  Thanks in advance.
  Feisal

  Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
  So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
  Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
  My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
  Is that incorrect?
  Many thanks
  Rays

• Cisco any connect does not reconnect to backup ASA

  Hi
  In Cisco ASA ssl vpn using ANY connect, I have a question on ASA failover. There is an option in the ASDM (AnyConnect Client profile) where one can set a number of backup ASAs in case the primary ASA goes down, So Client can connect to backup ASA in case primary goes down.
  Primary ASA = vpn1.test.com
  Backup ASA = vpn2.test.com
  I have added backup ASA in the backup server list in the client profile section. In the first case, when primary ASA is down, and ANY connect client try to connect to primary ASA (vpn1.test.com) then after few seconds ANYConnect client realizes primary ASA is down and then anyconnect client connect to the backup ASA .
  But in case the primary ASA is up and ANYconnect cleint is connected. If I shutdown the primary ASA, then ANY connect client never switch to backup ASA " vpn2.test.com".
  Can Someone guide me here why client not try to reconnect to the backup in case the primary ASA gets down.
  Any connect version : 3.1.02040
  ASA IoS : 9.1
  //umair

  If you want to make use of the Cisco Connect Software then the connection should be in the following way:
  Connect the Modem with the Router on the Internet Port and connect the computer with the Router to any one of the Ethernet Port [Numbered 1, 2, 3 and 4]…
  So if you try to make the connection to any other form then in that case the Cisco Connect Software may get installed but it won’t detect the Router and will not get the Internet…. If you want to configure the Router then you can do it manually…
  So if you have a DSL connection you can refer to this link:
  http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&login=1&vw=1&app=search&articleid=4020&userrole=Linksy...
  So if you have a Cable Internet Connection you can refer to this link:
  http://www6.nohold.net/Cisco2/ukp.aspx?pid=93&vw=1&articleid=3686

• Creative suite 5.5 subscription not activating any more. Keeps on saying "check internet connection"

  For last 2 days I'm not able to activate/work because of this error. Tried to activate it on another PC but still get this error!!
  No more phone support for Creative suite so read the support page for any possible solution. Also checked my hosts file but found nothing unusual.

  Sign in, activation, or connection errors | CS5.5 and later
  Mylenium

• Can anyone help me ? my iphone 3gs keeps displaying needs activation and connect to itunes when i do this nothing happens but the phone works fine but as soon as i disconect the phone it displays the same message over again and wont let me go any further

  my phone has just suddenly stopped working today was fine this morning then suddenly showed a message saying needs activating and connect to i tunes . i connected it to itunes and nothing happened but phone started to work fine  so i disconected it from the laptop it worked fine untill it went to lock then showed the same message again .please can anybody help as i am ready tear my hair out!

  In settings>general> cellular do you have it  turned ON?

• Ikev2 VPN without using a SSL license? (ASA-5512)

  Hi All,
  I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool  (which I have lots of connection licenses for "Total VPN Peers : 250".
  * Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
  * Do I have to consider 3rd party vpn clients, outside Anyconnect?
  cya
  Craig

  Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.
  If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.
  In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.
  Sent from Cisco Technical Support iPad App

• Can I tell if I have activated any tracking software on my Macbook that will help me find it.

  My Macbook Pro was stolen today.  I know that I have logged into iCloud from this laptop before but I am not sure that I have specifically activated any tracking software.  Can anyone suggest any ideas for tracking this down - unlikely I think.

  Find my Mac may be enabled on your MacBook Pro. To check this, open http://www.icloud.com on any PC or Mac, log in with your Apple ID and choose Find my iPhone. Your Mac's location will show up if it's connected to the Internet, and you will be able to lock or wipe it. Also, you can do this through an iPhone, iPad or iPod touch with the Find my iPhone app.
  If you can't track the MacBook, there's no way to locate it at the moment. If the thief erased the MacBook, you won't be able to track it anymore even if you enabled Find my Mac

• Terminal server does not have any installed licenses

  Good morning! Faced with a some trouble while configuring Terminal Server (Windows Server 2012 based). I selected licensing mode "Per User" and now I see this message:
  “The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode, but license server “server name” does not have any installed licenses with the following attributes:
  Product version: Windows Server 2008 or Windows Server 2008 R2
  Licensing mode: Per User
  License type: RDS CALs”
  So this is trial using of terminal server - I have 25 days yet but already today I can't connect to server using RDP. There is an error message about absent licensing server. How can I activate licenses in trial mode? Thank you for support.

  Hi,
  Thank you for posting in Windows Server Forum.
  From the error description it seems that your issue caused by setting up different Licensing mode. We need to install the proper RDS CAL on the License server.  If the license server has installed licenses of the other mode, changing the licensing mode
  for the terminal server may also resolve the issue. 
  To change the Licensing mode we can use RD Licensing diagnoser or by PowerShell command. 
  To change the licensing mode on RDSH/RDVH:
  $obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
  $obj.ChangeMode(value) - Value can be 2 - per Device, 4 - Per user
  Please refer below article for information.
  RD Licensing Configuration on Windows Server 2012
  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
  Have you installed License server on Server 2012 and you have RDS CAL of Server 2008 R2?
  If that’s the case then first you need to purchase the RDS CAL for server 2012 and then you can configure on server 2012 because server 2012\R2 RDS CAL can work with lower version OS but Server 2008 R2 RDS CAL can’t work on Server 2012\R2.
  Please check computability matrix.
  RDS and TS CAL Interoperability Matrix
  http://social.technet.microsoft.com/wiki/contents/articles/14988.rds-and-ts-cal-interoperability-matrix.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Why do the number of active JMS connections increase?

  <strong>Problem</strong>
  - Number of active JMS connections and current JMS messages increases until the Weblogic instances crash with an OutOfMemory exception
  <strong>Setup</strong>
  - Weblogic v9.2.3, Cluster with 4 Nodes
  - A JMS Message is sent from a MDB in Weblogic to a distributed queue which has a member on each of the 4 Weblogic nodes. The session is created as follows session = connection.createSession(false,Session.AUTO_ACKNOWLEDGE), the message delivery mode is set programmatically to persistent and the delivery mode override of the queue setup is set to persistent too
  - Standalone JMS client processes: each one is attached to <strong>all</strong> 4 nodes. Each one uses a unique JMS message selector so that we have more than one queue consumer for one queue but every message is exactly dedicated to one queue consumer. We us weblogic.jar for the clients.
  - Use of Weblogic auto reconnect feature. JMS client code:
  Connection connection = this.connectionFactory.createQueueConnection();
  final WLConnection wlconnection = (WLConnection)connection;
  wlconnection.setReconnectPolicy(JMSConstants.RECONNECT_POLICY_ALL);
  wlconnection.setTotalReconnectPeriodMillis(-1);
  wlconnection.setReconnectBlockingMillis(-1);
  <strong>Remarks and Questions</strong>
  - There are no pending JMS messages which is good
  - In our setup, each JMS client is connected to all 4 nodes as the messages are not distributed to all nodes: if a message is put to Queue A but the client is only connected to Queue B, the message is NOT transfered from Queue A to Queue B. We set the parameter "Forward Delay" to 5 seconds with no effects. Is this the normal behavior?
  - Not all JMS clients are visible in the Weblogic console under JMS Services -&gt; JMS Servers -&gt; [Server] -&gt; Monitoring -&gt; Active Connections. Which one are visible? Which one are not visible? There are also clients where the number of connections is not zero but stays constant; we know that as several independent clients on different hosts are started and the IP adress is visible in the Weblogic console. Why....?
  - What reasons can lead to increasing connections? Is this due to client or server problems? Do we have to acknowledge the message in the onMessage(Message) method of the client JMS consumer? So far as I know, we don't have to.
  - Are the increasing number of current messages due to the increasing number of JMS connections?
  - May the RECONNECT_POLICY_ALL policy produce this problem?
  Any hint is appreciated.
  Peter
  Edited by: pkeller on 23.10.2008 17:08

  To answer the question about the forwarding of messages from one queue to another myself: As mentioned at http://forums.bea.com/thread.jspa?threadID=400000611, the forwarding for queues does only work if all queue consumers are attached to the same queue. This means that our setup is OK.
  But the main question is still unanswered: why do the number of active JMS connections increase? I forgot to mention that
  - all messages arrive at the clients and that no exceptions are visible in the log
  - if you kill the client, the connections are still visible in the Weblogic console!?
  Please help as this problem is very urgent.
  Peter
  Edited by: pkeller on 24.10.2008 09:06
  Edited by: pkeller on 24.10.2008 09:10

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian

• Regarding Transfer speed in Cisco Any Connect

  Hi,
  I was trying to check transfer speed from Cisco Any Connect, with only ports opened in firewall 443 & 80 with 1 destination , but to complete data transfer of 50MB file it takes around 40mins, but if all ports are unblocked in Firewall with 1 destination ,it takes only 9mins.
  so wanted to know the correct port numbers which needs to be opened to make data transfer speed fast & why this behaviour.
  Please somebody help me.

  a customer has confronted me with a similar issue. They are using AnyConnect SSL Clients in their LAN, and noticed a severe performance drop on client side once connected via AnyConnect.  I have set this up in a lab environment to compare LAN performance with AnyConnect SSL performance.
  Win7 Client                                                                                                                
  AnyConnect                                              ASA5520                                                    Win7 iperf Server
  Secure Mobility -----------1Gb LAN---------------- v9.1.1---------------------1Gb LAN--------------------  TCP Window Size 4MB
  3.1.02040
  The ASA was configured from factory default and there was no traffic passing besides this test. AnyConnect used DTLS, and interface mtu on the ASA was 1500, the AnyConnect mtu was left unmodified, so I suspect the maximum of 1406 bytes was used.
  Result:
  - While AnyConnect was disconnected, Iperf reported bandwidth usage of about 300Mbps. This was what I was expecting.
  - As soon as I was connected via AnyConnect, the bandwidth usage dropped tp about 80Mbps. I expected a slight drop, but not this much.
  What causes such decrease in performance? Sure, if connected via the Internet, clients will most likely never notice this, but the customer uses AnyConnect SSL in a Gigabit LAN environment. Could the bottleneck be on the client side? The load and memory usage on the ASA side was very low. I have tried several ASA versions, but they all deliver similar results.

• When trying to use my banking apps I get the error "Network Required  This application requires an active Internet Connection.  Please try again"

  When trying to use my banking apps I get the error "Network Required  This application requires an active Internet Connection.  Please try again".  This happens with two different apps from two different banks.  One of them works occasionally and have not figured out why.  I have cell signal and I am on a strong WiFi network.  Same thing happens when I turn off the WiFi too.    I have tried uninstalling and re-installing the app with no improvement.   I can't seem to find any setting that would cause this.   Does anyone have any suggestions?  

  I can access the internet just fine in the browser and i can use any other app i have.
  Sent from my Verizon Wireless 4G LTE DROID