There are currently two licensing models for Cisco Secure Client, that is until Cisco decides to change or rename them once again!
* Cisco Secure Client Plus
* Cisco Anyconnect APEX
The APEX features also cover the ones in Plus, so simply a basic and advanced license. The important thing is the change to a total unique-user and term-based model. This means if you have 1000 users, you buy 1000 licenses, even if you will never have 1000 concurrent connected users. Then you can install this license to as many Cisco ASA devices as you want. (Check Reference Link #1 and under Sharing Process to install to devices with different serial numbers)
To check your current license in a Cisco ASA 8.3+ device, use the "show activation-key" command. Under Licensed features for this platform you will get the license numbers for this current device. The naming might be confusing here, so AnyConnect Premium Peers shows APEX licenses, AnyConnect Essentials shows Plus licenses.
The important thing here is, IF you have High Availability setup with active/standby units, the licenses will be combined. Different features have different calculations for combining the licenses. VPN licenses add up to each other. As long as the devices stay in the HA setup, they will both use the combined licenses numbers.
The combined numbers are listed under: Failover cluster licensed features for this platform
For example primary device below has only 2 Premium licenses, but since the standby unit has 5000, both devices will be available for 5000 VPN users.
To check the actual licenses installed in the standby unit, use the command: "failover exec standby show activation-key"
You will receive activation keys, when you use PAK/PIN to generate licenses with the specific serial-numbers of the devices.
To install these use the command: "activation-key 0xXYZ 0xXYZ"
Don't forget to install a license on your Standby Unit! This will have to have been generated with the devices own serial number. Command: "failover exec standby activation-key 0xXYZ 0xXYZ"
I remind this, because if you ever separate the devices, and break the HA setup, the device will revert to the actual licenses installed on itself, instead of using the combined licensing model.
You can check the reference links below for Cisco Documentation on this topic.
fw# show activation-key
Running Permanent Activation Key: 0xXYZ 0xXYZ
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
References:
No comments:
Post a Comment