AnyConnect Mobile
Hi,
I just installed an AnyConnect Mobile license on an ASA 5510 but haven't had time to do much else. Does the ASA require any further configuration to support mobile clients, or will the existing AnyConnect setup suffice?
Thanks.
Additional tasks can be done such as modify the client profile for the tunnel group if you would like to control "Connect on Demand". This feature allows the app to establish a vpn tunnel when a specific URL suffix is matched. This requires cert authentication
Sent from Cisco Technical Support iPhone App
Similar Messages
-
Install Error when installing CISCO AnyConnect Mobility Client
When installing Cisco AnyConnect Mobility Client 3.1.02040, I get the following install error:
There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.When installing Cisco AnyConnect Mobility Client 3.1.02040, I get the following install error:
There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. -
Shared License Server / AnyConnect Mobile
I have a pair of 5540's with Premiun and AnyConnect Mobile licenses, we purchased a pair of ASA 5545X and configured Shared Licensing, the client sees the license server and carried over the Premium Licenses, the probelm is it will not share /carry over the AnyConnect Mobile licenses.
Any feedback is greatly appreciated.
5540 - License Server
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Enabled perpetual
Shared SSL VPN Peers : 500 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 50 perpetual
Total UC Proxy Sessions : 50 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5540 VPN Premium license.
This platform is a shared license server.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 4 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Enabled perpetual
Shared SSL VPN Peers : 500 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 52 perpetual
Total UC Proxy Sessions : 52 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5540 VPN Premium license.
ASA5545X Devices
Corp-VPN1# show vpn-sessiondb license-summary
VPN Licenses and Configured Limits Summary
Status : Capacity : Installed : Limit
AnyConnect Premium : ENABLED : 2500 : 2 : NONE
AnyConnect Essentials : DISABLED : 2500 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 2500 : 2500 : NONE
Shared License Server : DISABLED
Shared License Participant : ENABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
AnyConnect for Cisco VPN Phone : DISABLED
VPN Licenses Usage Summary
Local : Shared : All : Peak : Eff. :
In Use : In Use : In Use : In Use : Limit : Usage
AnyConnect Premium : 0 : 0 : 0 : 2 : 2 : 0%
AnyConnect Client : : 0 : 1 : 0%
AnyConnect Mobile : : 0 : 0 : 0%
Clientless VPN : : 0 : 1 : 0%
Other VPN : : 0 : 0 : 2500 : 0%
Cisco VPN Client/ : : 0 : 0 : 0%
L2TP Clients
Site-to-Site VPN : : 0 : 0 : 0%
Shared License Network Summary
AnyConnect Premium
Total shared licenses in network : 500
Shared licenses held by this participant : 0
Shared licenses held by all participants in the network : 0Thank you for the information. I ordered this product ->
L-ASA-AC-M-5545= AnyConnect Mobile - ASA 5545-X (req. Essentials or Premium)
The problem is after I installed the license and reboot it removed my 3DES capability, it also disbled the abiliby to do license sharing(this is a client). Why would this be removed when I already had it active and just trying to enable AnyConnect mobile functionalilty. See new show ver below, Help!
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Disabled perpetual
This platform has an ASA5545 VPN Premium license. -
How to disable product update on Cisco AnyConnect mobility client
Hallo,
Do you anybody know how to disable/turn off "Checking for product update" during _every_ connecting Cisco Anyconnect Secure Mobility Client (VPN) to remote sites?
I found it may by possible on the ASA side, but I need to disable it on the client (computer). I can see that checking is NOT during connecting to my company site, but when connecting to ANY OTHER site everytime is new version checked. It takes some time ... and I need to switch between VPN often.
Thank you for your help!
Regards, OndrejYou should be able to do this in the AnyConnect local policy. Just add (or edit, if you already have a local policy file) the following to the local policy file:
<!--?xml version="1.0" encoding="UTF-8"?-->
<anyconnectlocalpolicy acversion="2.4.140" xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd">
<BypassDownloader>true</BypassDownloader>
</AnyConnectLocalPolicy>
The local policy file can be found here:
Windows Vista/7/8: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml
Linux/Mac: /opt/cisco/anyconnect/AnyConnectLocalPolicy.xml
See the Enabling FIPS and Additional Security in the Local Policy section of the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for more details. -
Running ASA ver 8.6(1)5.
Question is do I need a license to run any connect from our Android platforms ?
Currently have the following licenses installed
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Any help would be appreciated.
Cheers
DaveYes, you need the AnyConnect for Mobile license. That will enable iOS and Android devices.
-
Anyconnect Mobility Client Latest Version
I bought a ISA570W IPS 6 months ago that came with version 2.5. I tried to download the latest version from Cisco site and it required the serial number of my unit. Provided it and didn't work so called Cisco who told me that I have to have ANOTHER support contract in order to recieve the download. Thats a disgusting attitude. I payed for this unit and now might as well bif it away because I cannot even get Cisco's own VPN software which is the only one that will work for VPNing into this unit! Ripoff!
If anyone could provide me a link to where I could get this softwarte somewhere else would be helpfull...please...?
Actually I don't understand why Cisco insists that this download be protected. I mean what else could you use this software for other than VPNing to a cisco device?..sheesh.There is an XML profile that AnyConnect can use (it is optional and some organizations choose to implement it and some choose to not implement it). One of the things that can be configured in the XML profile is a list of VPN servers. If your client's AnyConnect has the XML profile with servers configured then they will show up in the drop down list. If it is necessary to type in the address each time then your client should provision an XML profile that does have the servers configured.
HTH
Rick -
Anyconnect Secure Mobility client 3.1.05187 external DNS issues in Windows 8.1
I am using AnyConnect Mobility client 3.1.05187 on Windows 8.1 machine and for last couple of days I am not able to connect to external sites.
There are two network adapters active:
Ethernet (IP and DNS address obtained automatically)
Cisco AnyConnect Secure Mobility Client Connection (Tunnel Mode (IPv4): Split Include)
Cisco AnyConnect Secure Mobility Client 3.1.05187 VPN Statistics Details(Thu Jan 29 12:43:45 2015)
Connection Information
Tunnel Mode (IPv4): Split Include
Tunnel Mode (IPv6): Drop All Traffic
Duration: 00:03:23
I have checked for 'do not change default gateway' setting but it's not displaying for VPN connection.
I hope someone can help me out.I'd start with installing the latest version of 3.1 and also try latest version of 3.0
Michael
Please rate all helpful posts -
Hi,
is there a way to limit AnyConnect profile only to mobile devices (Android, ipads, etc)?
We have AnyConnect mobile licence enabled but i would like to create an Anyconnect profile to allow only mobile device to use it. I should have other AnyConnect profiles available for laptops, etc.
Appreciated.Yes, you can use a dynamic access policy to drop connections using your AnyConnect mobile profile that are not using a specific AnyConnect client.
-
ASA5510 Security Plus + Anyconnect Essentials = BASE?
Recently upgraded a 5510 to Anyconnect Essentials and Anyconnect Mobile, the device was Security Plus and is now Base. Is it supposed to work this way? I lost my Gigabit interfaces. Is it possible to have Security Plus + Anyconnect Essentials?
I'm sure this should be OK.
I had a similar problem with an ASA 5505 that had been upgraded to Sec Plus and subsequently Anyconnect Mobile. TAC were able to sort it out very rapidly and issue the correct license file. -
AnyConnect users cannot access internet
When AnyConnect users try to connect to the internet it will not let them out. I've included a copy of my config below. Also, I have a 5505 with base license but the AnyConnect for mobile is disabled. I got what seems to be a demo license from Cisco for 91 days. I thought that the base license came with AnyConnect for 2 devices. Why is the AnyConnect for mobile disabled by default?
ASA Version 8.4(2)
hostname ASA5505
domain-name <removed>
enable password <removed>
passwd <removed>
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
banner motd
banner motd +...................................................-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device will be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +...................................................-+
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.105.28.12
name-server 68.105.29.12
domain-name ok.cox.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE-HOSTS
subnet 10.10.10.0 255.255.255.0
object network AnyConnect-INET
subnet 192.168.10.0 255.255.255.0
access-list Internet_IN extended permit icmp any interface outside echo-reply
access-list Internet_IN extended permit icmp any interface outside
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any echo-reply outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AnyConnect-INET interface
object network INSIDE-HOSTS
nat (inside,outside) dynamic interface
access-group Internet_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd update dns both
dhcpd address 10.10.10.25-10.10.10.50 inside
dhcpd dns 68.105.28.12 68.105.29.12 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy "Client Group" internal
group-policy "Client Group" attributes
wins-server none
dns-server value <removed>
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value <removed>
split-dns value <removed>
webvpn
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username <removed> password <removed> privilege 15
username <removed> attributes
webvpn
anyconnect ask none default anyconnect
username <removed> password <removed> privilege 15
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool vpnpool
default-group-policy "Client Group"
tunnel-group TunnelGroup1 webvpn-attributes
group-alias ssl_group_users enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:943c1846a54a525f95905e6ebe313048
: endI found part of my problem. There wasn't nat (outside,outside) dynamic interface applyed to the AnyConnect object network. The other half of my question is still a mystery. How come the AnyConnect for Mobile is off by default on a base license when it's supposed to come with 2 AnyConnect mobile licenses installed?
-
Anyconnect license for ASA5520
Dear Team,
Below is the configuration of one of our clients and they have requested for 50 Users Anyconnect License with software being installed on client.
ABC # sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 5.2(3)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
PSO-ASA up 110 days 22 hours
failover cluster up 110 days 22 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001e.f760.a75c, irq 9
1: Ext: GigabitEthernet0/1 : address is 001e.f760.a75d, irq 9
2: Ext: GigabitEthernet0/2 : address is 001e.f760.a75e, irq 9
3: Ext: GigabitEthernet0/3 : address is 001e.f760.a75f, irq 9
4: Ext: Management0/0 : address is 001e.f760.a760, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
7: Ext: GigabitEthernet1/0 : address is 001e.f760.b729, irq 255
8: Ext: GigabitEthernet1/1 : address is 001e.f760.b72a, irq 255
9: Ext: GigabitEthernet1/2 : address is 001e.f760.b72b, irq 255
10: Ext: GigabitEthernet1/3 : address is 001e.f760.b72c, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1210L21K
Running Activation Key: 0x7c1f6a6e 0x44e5b71d 0xa8b04110 0x9e043c5c 0x0d329294
Configuration register is 0x1
Configuration last modified by enable_15 at 10:58:52.275 UTC Wed Dec 18 2013
I have quoted them "L-ASA-SSL-50=" but confused about the ASA Licensing.
Please let me know if this is the right one or I have to quote something else?
Kindly let me know if we need to purchase client software for client based SSL VPN?
Regards,
Farhan.Syed,
As per the "show version" output:
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Do you need AnyConnect Essentials or Premium?
Check:
AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 3.1
Cisco AnyConnect Secure Mobility Client Licensing Options
Table 2 lists licensing options for the Cisco AnyConnect Secure Mobility Client.
Table 2. Cisco AnyConnect Secure Mobility Client Licensing Options
License Requirements (each license below is required)
Description
Cisco ASA Platform License
Cisco AnyConnect Essentials[2] (P/N: (L-ASA-AC-E-55**=) 05, 10, 20, 40, 50,80, 85)
• Highly secure remote-access connectivity
• Single license per ASA device model (not a per user license); enables maximum simultaneous users on platform
• Full-tunneling access to enterprise applications
Cisco AnyConnect Premium[3] (P/N: (L-ASA-SSL-***=) 10, 25, 50, 100, 250, 500, 1000, 2500, 5000, 10,000
• Also provides support for clientless SSL VPN and capabilities available on desktop AnyConnect platforms including Cisco Secure Desktop HostScan and always-on VPN connectivity
• License is based on number of simultaneous users, and is available as a single device or shared license (part number above is for a single device license)
Cisco AnyConnect Mobile License5
P/N: (L-ASA-AC-M-55*=)
05, 10, 20, 40, 50,80, 85
• Enables Mobile OS platform compatibility
• Single license per ASA device model (not a per user license) is required in addition to Essentials or Premium licenses
Cisco AnyConnect Secure Mobility Client Licensing Options
Let me know if you have any further questions.
HTH. -
Performance : Anyconnect vs. IPSEC
Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.
However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.
From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps.
Any ideas what could be causing this slowdown? Should SSL VPN performance be on par with IPSEC?
Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.will do. sh vpn-any doesn't take.
Can't seem to find the same info as from ASDM. Seeing only one DTLS session below.
dhr-5668-fw# sh v?
version vlan vpdn vpn
vpn-sessiondb
dhr-5668-fw# sh vpn-sessiondb ?
detail Show detailed output
email-proxy Email-Proxy sessions
full Output formatted for data management programs
index Index of session
l2l IPsec LAN-to-LAN sessions
ratio Show VPN Session protocol or encryption ratios
remote IPsec Remote Access sessions
summary Show VPN Session summary
svc SSL VPN Client sessions
vpn-lb VPN Load Balancing Mgmt sessions
webvpn WebVPN sessions
| Output modifiers
dhr-5668-fw# sh vpn-sessiondb
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN : 23 : 1899 : 64
Clientless only : 0 : 301 : 5
With client : 23 : 1598 : 60 : 0
Email Proxy : 0 : 0 : 0
IPsec LAN-to-LAN : 2 : 15 : 3
IPsec Remote Access : 0 : 0 : 0
VPN Load Balancing : 0 : 0 : 0
Totals : 25 : 1914
License Information:
IPsec : 250 Configured : 250 Active : 2 Load : 1%
SSL VPN : 250 Configured : 250 Active : 23 Load : 9%
Active : Cumulative : Peak Concurrent
IPsec : 2 : 15 : 3
SSL VPN : 23 : 1899 : 64
AnyConnect Mobile : 0 : 0 : 0
Linksys Phone : 0 : 0 : 0
Totals : 25 : 1914
Tunnels:
Active : Cumulative : Peak Concurrent
IKE : 2 : 15 : 3
IPsec : 5 : 64 : 6
IPsecOverNatT : 10 : 167 : 11
Clientless : 23 : 1899 : 64
SSL-Tunnel : 23 : 3128 : 60
DTLS-Tunnel : 0 : 1 : 1
Totals : 63 : 5274 -
Blocking iPads via AnyConnect on the ASAs?
Has anyone succesfully blocked iPads from using AnyConnect to VPN in? I can see how you can block the preinstalled IPSEC client via the IPSEC client rules, but I don't see how I can block an iPad or iPhone if they've installed the AnyConnect Mobile client.
The release notes for Anyconnect 2.4 for iPad have a section on how to do it. You have to use a Dynamic Access Policy to test for the OS.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/rn-ac2.4-apl4.2.html#wp1095241 -
I have heard that AnyConnect may be avaialable for iPad
at some point. Any idea as to when?Todd - I am little confused on how you can tell that Matt has the AnyConnect Premium Licence installed and only needs the AnyConnect mobile licence.
I am in the process of upgrading our ASA to accommodate the Anyconnect features for the iphone/ipad's in our organization and I just need to verify exactly what licenses I need. I know I need the mobile license, upgrade the IOS, but given what's listed below in my license snippet, I am covered for the AnyConnect SSL connectivity.
Thanks,
~Jeff
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 250
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2 -
Airwatch certificates anyconnect
Hi, we're using anyconnect 3.1 for our VPN and have a requirement to accept iPhones and iPads on the VPN. Our IOS devices are controlled via an oem MDM (Airwatch). We cannot seem to get Anyconnect to recognize the Airwatch certificates on the IOS devices. I see support for Airwatch in ISE, but cannot find it for Anyconnect. Can someone tell me if I need to install ISE for this or if Anyconnect supports it natively? (We have the Anyconnect mobile license).
Jon,
I ran across a similar problem where the certs import but do not show up on the AnyConnect client. But if the client connects it does present the correct cert to the ASA.
Sent from Cisco Technical Support iPad App
Maybe you are looking for
-
Copy Pricing Conditions from Sales Order to Billing
Hi, Is there anyway to copy pricing conditions for item level from Sales Order to Billing Document at the time of creation of Billing Document. Thanks
-
How do you create bookmarks when you create a PDF from word?
Hi All, how do you create bookmarks when you create a PDF from word, rather than having to individually copy from a pdf and create bookmarks? Adobe 8.1 full version.
-
Route calls to two different CSQs, but show single set of Service Level stats on report
We have a single node UCCX 9.0.2 Premium environment to handle our ACD operations. Our agents take inbound customer service, claims and sales calls for a few dozen of our clients. All of these calls are currently taken by the same two teams of peop
-
Class loading issue while upgrading from SJS Identity Manager 6.0 to 7.1
Hi, I am trying to upgrade my SJS Identity Manager 6.0 installation to 7.1 version. My setup for same includes: OS: Suse Linux 9 Enterprise Server Identity Repository: Oracle 9i SJS Identity Manager 6.0 to 7.1 Application Server: Weblogic AS 8.1.4 Pr
-
Oracle Retail Warehouse Management System Version 13 Application Issue
Hi, I have installed RWMS version 13 Installation, successfully. But not able see the login screen, after use the URL-http://< host name>:7781/forms/frmservlet?config=rwms13.Only the black screen appears. Please find the details of the product: Produ