Cisco VPN :: 5520 - AnyConnect Essentials To Premium Upgrade
Jun 18, 2012
We upgraded and re-configured two existing ASA5520 platforms in order to provide an SSL VPN solution for one of our customers.
The customer opted to deploy AnyConnect Essentials the functionality / features they required for day one were catered for in the Essentials license and budget constraints meant Premium licensing could not be included in the original deployment.
The licenses added to the system were:
L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users)
ASA-AC-M-5520 AnyConnect Mobile - ASA 5520 (req. Essentials or Premium)
The customer is now seeing a growing number of mobile devices and wishes to support the BYOD culture growing within the business; as a result we now need to use features available in AnyConnect Premium. I am aware from reading the following document [URL] that AnyConnect Essentials and Premium licenses cannot co-exist on an ASA; I need to ensure we purchase the appropriate upgrade for the customer.
Is there an SKU to upgrade / migrate an existing Essentials deployment to Premium? I've reviewed the licensing guide and price list but cannot find a method which enables this transition.
We have instructed our user community to start their VPN sessions by connecting to our ASA 5520 with a browser to download (if necessary) and initiate the Anyconnect essentials VPN client. Everything was working fine until a few days ago.
We have had several people report the same problem. They connect with the browser, enter their login information and are greeted with our "authorized use only" message by the ASA. Then, instead of downloading (if necessary) and starting the VPN client software, the web page just goes back to the login prompt without displaying any error message. The client software is never downloaded or started.
We've been able to work around this by installing the client software manually (where necessary) and starting the VPN client from the start menu. However, this isn't our preferred solution because this method won't have them automatically picking up updated versions of the VPN client.
We have seen this behavior before when there was a pending Java update that had not been applied. However, that doesn't seem to be the case this time. Clients have recently updated to IE9, but I have personnally been running the Anyconnect client and launching through IE9 for months.
Prior to version 8.4(1) Cisco called their licensing name for SSL/VPN users AnyConnect Premium SSL VPN and currently the new name of the licensing is simply AnyConnect Premium. Also, the IOS display name for the amount of SSL/VPN users enabled via your licensing (ex. 2, 10, 25, 50, ...) by running a 'show activation-key' was changed from SSL VPN Peers to AnyConnect Premium Peers.With that said, my question is if the license for upgrading 10 users to 25 users (L-ASA-SSL-10-25= - ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License) on an ASA prior to 8.4(1) and an ASA with 8.4(1) is still valid and the correct part number to peform these upgrades for both ASAs. The description of this part number is throwing me off because it says SSL VPN to Premium User, which was the name prior to 8.4(1). I could not locate any documentation regarding this part number or upgrading 10 users to 25 users for both ASAs.
A make one BOM and i just ask my self can we order on the one platform ( for example 5510-SEC-BUN-K9 ) SSL Essentials license ( this license is on the platform by default we buy 250 users ) and i need 50 Users license from them to be Premium.
Can i buy those two license on the same platform and is this will work ?
I have a Cisco ASA 5500 Series appliance.I'd like to use the Embedded CA There’s no documentation which states an AnyConnect Essentials license will suffice, over an AnyConnect Premium.url... hints at Essentials being enough, as it specifically mentions some features require Premium, but I really need to be sure. Using AnyConnect Essentials (so, anyconnect essentials: Enabled) AND the Embedded CA?
Recently upgraded a 5510 to Anyconnect Essentials and Anyconnect Mobile, the device was Security Plus and is now Base. Is it supposed to work this way? I lost my Gigabit interfaces. Is it possible to have Security Plus + Anyconnect Essentials?
i currently have a ASA5540 with 250 SSL VPN Premium licenses and looking to purchase another 500 licenes on top of what i already have.I have been told that i cant simply add 500 licenses onto the 250 to make 750 in total and that i need to purchase a 250-500 licenses or 250-1K licenses. Is this correct? I ask this because on the cisco website, that there is L-ASA-SSL-250-500= & L-ASA-SSL-500-750= part numbers?
2 x ASA5520 with SSM20 . using AnyConnect 3 , users are not getting disconnected from ASA even after the vpn client is closed . Users would not be able to login from the same ip until the session is active. Manual clearing of the session enable the user to log back in .
I have a query regarding MAC authentication for end systems on ASA 5520. Inspite of proving MAC address in endpoint authentication along with AAA, only AAA attribute policies are getting created. MAC authentication is not happening.
Is there any requirement like LDAP or AD is required for MAC authentication?
I have an ASA 5520 soft 8.2(3) when i try to configure the any connect I don't get the SSL and the telnet options for the connection. bare in mind that i don't have the any connect software on my asa nor do i have any certificate. is it essential to get a certificate. do i have to buy it knowing that it will only be used by our company's partners. if not how do i get it
We are currently using Cisco VPN Client. I'm looking to migrate to Cisco Any Connect. Our ASA 5520 has 750 IPSec and 2 SSL license. I also have approximately 40 IPSec site to site VPN's on this. ,Will anyconnect interfere with the site to site tunnels?,If I setup anyconnect with the IPSec instead of SSL do I still need to purchase the premium or essentials license?,Lets say if I do have to get the license and I get essentials will it cause any issues with the site to site VPNs?
We have an ASA 5520 with two VPN profiles working fine.Since some users are now working with Windows 8, VPN clients for Cisco ASA is not able to connect.I have read there are problems for such VPN Clients in that OS, and I should use now Anyconnect for them to connect. I thought we had anyconnect working also, because some users can connect to a web page they can do some kind of connections to internal servers, (web, telnet, rdp, etc) so I installed cisco anyconnect VPN client in a laptop and try to connect (same IP and port I used for that web page) but after signing I get the message AnyConnect is not enabled on the VPN Server.So I tried to follow a configuration guide for Anyconnect, but there's a step in which I am trapped, these are the steps: Click Configuration, and then click Remote Access VPN.
My client is upgrading from anyconnect 2.5.2014 to 3.1.00495. The ASA is running ASA 5520 version 8.2(5)33 and is in an active/standby failover pair.when trying to push out the new 3.1 from the pair to windows 7 and XP machines, he gets the error "Failed to get configuration from secure gateway. Contact your system administrator". When he tries to push 2.5.2014 and 2.5.6005 out from the pair this works fine.When pushing the 3.1 out from a stand-alone test ASA 5520 it works fine.
We have bought L-ASA-AC-PH-5520=Anyconnect Vpn Phone License for our Cisco Phones but when we entered this license into our ASA it shows th following i.e enabled for linksys phones. Is there a diff part no to enable vpn for cisco phones. [code]
We currently are using the anyconnect client using certificates for authentication (ASA 5520 v8.4). It works pretty good but I can only get it to work on a profile basis on the clients laptops. We are running windows 7 and if multiple users need VPN i have to install the certificate for each user. I have changed the xml profile to read the certificate store to "all" and true for certificate store override. I am installing the certificate in the trusted root certificate store. Is there a way for the anyconnect to authenticate for all profiles (users) for the laptop?
I have an ASA 5520 and I am having trouble getting the AnyConnect VPN authentication timeout feature to work properly. I thought I did have it working a couple of months ago, but right now it is not giving me more than the default 12 seconds. I have tried intervals of anywhere from 25 seconds up to 120. I am currently runnign version 6.4 on the ASA and AnyConnect 2.5.3055.
We currently have a setup where users connect to the inside of a firewall using the ipsec client. We are moving them to the anyconnect client but are unable to get it to work, we cannot even get a webvpn page on the inside.
When trying to connect with anyconnect the ASA reports an IKE initiator fail on the inside. and no tcp connection flag. We cannot get any response with Webvpn either I have tried using a different tcp port on webvpn but then the asa denies the traffic even though there are no rules denying.
I have noticed that the error "unable to process response from x.x.x.x" when using anyconnect is very common and that the actions to handle it are different. Right know I have the same issue. Let's name it "the message" =)
We are running: ASA 8.2(2) . AnyConnect 2.5.1025
In my scenario, we used to be able to connect to the ASA using AnyConnect but suddenly it stops to work showing "the message" =) We did this procedure, but it did not worked for us
My first question would be: How can I obtain more information so I can get a better idea to handle "the message"?
The next step I am about to do is upgrade the AnyConnect Cliente to 2.5.2019. According to the release notes, this versión is supported with ASA 8.2(22)
I also notice that the AnyConnect client can be install with a component named Cisco Diagnostic and Reporting Tool (DART). Does this tool could be usefull to troubleshoot "the message"? What kind of information does DART can give us? Were can I find the files it captures?
I am setting up Clientless Anyconnect on ASA 5520. I have a Verisign Cert but when I go to Certificate Management-->CA Certificates-->Add, I put everything in and click "install certificate" I get an error. FYI I have the Primary Cert Authority Installed already?
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)
I currently have a Cisco 5520 ASA which is up and running and the users are able to connect to Anyconnect to VPN into the network. However, users plugged into the internal network inside the ASA are unable to connect to the vpn address and download the Anyconnect Client. I think this may be to do with reverse NAT missing?
Attempting to upgrade from ASA 8.3.2, ASDM 6.3.4, Any Connect 2.5.1 to ASA 8.4(4)1, ASDM 6.4(9) and Any Connect 3.1.00495 using ASA 5505.
Client is Windows XP SP3 w/ IE7. Can log into the ASA web portal and starts to install via ActiveX. I get past the IE7 message bar to authorize installing the ActiveX control. I briefly see a message that says "ActiveX could not be launched" (I think. It is very fast) and then the install hangs w/ the message in the web connect dialog about the IE7 message bar. If I let the timer expire, the java install also fails. If I download the installer via the web portal, and install Any Connect via the downloaded installer, everything works fine.
Same problem w/ ASA 9.1.1, ASDM 7.1(1) and Any Connect 3.1.02026. I have added the web page address to the trusted zone, and checked all the zones for permissions to install ActiveX controls, etc. Worked w/ the older/original software when I remove the kill bit for Microsoft KB2736233. Have not installed any custom Any Connect profile to use transforms. I did see in the release notes some information on NO INSTALL ACTIVEX=0, but I think this applies to the per-install package only.
I just started configuring AnyConnect with ASA 5520 that uses Cisco SecureACS to pass radius authentication. I configured two profiles with different split tunnel restrictions and what I discovered is that when the client connects to the ASA, they are provided a choice of these two groups (I guess there is no way to restrict this) and I can log into either one with any user account. How do I restrict this so that the user can only use one profile? Currently users capable of VPN would be placed in one specific AD group so that is what SecureACS checks. Is there a sample configuration guide to handle multiple profiles with different levels of access?
I have a VPN setup thru a Cisco 5520, Windows clients connect just find and the end users configure there browser to use our internal proxy servers. Users with the MAC OS X Anyconnect client can connect, they configure their Mac to use our proxy server, but the broswers will not work, clients can reach networks and resources behind the VPN gateway and have access to the Proxy(Tried a telnet to that hostname/port). I am running ASA 8.3(2), Anyconnect(OS X) 3.1.01065.
I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code. I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server). I have noticed one thing, on the server under "Constraints and Authentication Method". I picked MS-CHAP-v2, but it is considered Less secure authentication methods. I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2. I picked PEAP but then the VPN does not work.
So first of all does it really matter if I just leave it to MS-CHAP-v2? Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?
I have 50 SSL Premium licenses on my ASA 5520 running 8.4. I want to run Anyconnect on IPAD- and IPHONE-devices but it seems that this requires a Mobile-license on top of the premium-license. Is it possible to receive an evaluation-license for this? It will take a few days to receive permanent licenses and I want to user this now.
I need to activate AnyConnect SecureMobility client on an IPAD. I have an ASA with the below feature licenses:
This platform has an ASA 5520 VPN Plus license
As I've understood that I need the ASA-AC-M-5520 license for each IPAD used but they mentioned that we need also the Essential or premium license to be activated on the ASA as well. As shown above, I have the "VPN Plus license" activated on the firewall.
While user's connecting through AnyConnect, AnyConnect doesn`t check endpoint attributes. I've configured checking process of "notepad.exe", but it doesn`t work. There is no checking process of "notepad.exe" in output debug dab trace (see attach).
ASA 5520 ver 8.4(1) AnyConnect 3.1.02040 HostScan 3.1.02043 CSD 3.6.6234
I have ASA 5520 running ver 8.3.(2)8 and configured for AnyConnect VPN. While testing for iPads and iPhones we noticed that on connecting it disconnects few times before finally connecting. These are the messages logged in the ASA.I don't see authenticatio as an issue. Results are better with wifi compared to 3G. [Code]