11 Jun 2024

Installing/Checking Cisco Anyconnect VPN/Secure Client licenses for Cisco ASA devices

There are currently two licensing models for Cisco Secure Client, that is until Cisco decides to change or rename them once again!

* Cisco Secure Client Plus

* Cisco Anyconnect APEX

The APEX features also cover the ones in Plus, so simply a basic and advanced license. The important thing is the change to a total unique-user and term-based model. This means if you have 1000 users, you buy 1000 licenses, even if you will never have 1000 concurrent connected users. Then you can install this license to as many Cisco ASA devices as you want. (Check  Reference Link #1 and under Sharing Process to install to devices with different serial numbers)

To check your current license in a Cisco ASA 8.3+ device, use the "show activation-key" command. Under Licensed features for this platform you will get the license numbers for this current device. The naming might be confusing here, so AnyConnect Premium Peers shows APEX licenses, AnyConnect Essentials shows Plus licenses.

The important thing here is, IF you have High Availability setup with active/standby units, the licenses will be combined. Different features have different calculations for combining the licenses. VPN licenses add up to each other. As long as the devices stay in the HA setup, they will both use the combined licenses numbers. 

The combined numbers are listed under: Failover cluster licensed features for this platform

For example primary device below has only 2 Premium licenses, but since the standby unit has 5000, both devices will be available for 5000 VPN users.

To check the actual licenses installed in the standby unit, use the command: "failover exec standby show activation-key"

You will receive activation keys, when you use PAK/PIN to generate licenses with the specific serial-numbers of the devices.

To install these use the command: "activation-key 0xXYZ 0xXYZ"

Don't forget to install a license on your Standby Unit! This will have to have been generated with the devices own serial number. Command: "failover exec standby activation-key 0xXYZ 0xXYZ"

I remind this, because if you ever separate the devices, and break the HA setup, the device will revert to the actual licenses installed on itself, instead of using the combined licensing model.

You can check the reference links below for Cisco Documentation on this topic.


fw# show activation-key

Serial Number:  FCHxxxxxxx
Running Permanent Activation Key: 0xXYZ 0xXYZ

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 500            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5555 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 500            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 4              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 4              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual

This platform has an ASA5555 VPN Premium license.

The flash permanent activation key is the SAME as the running permanent key.


References:

  1. Cisco Secure Client Licensing FAQ
  2. Cisco ASA Licensing documentation
  3. Secure Client Ordering Guide
  4. End-Of-Life announcement for Cisco Anyconnect Secure Mobility Client 4.x