Networking

Cisco AnyConnect vs. IPsec VPN: Licensing considerations

CCIE Brandon Carroll looks at the licensing issues for both Cisco AnyConnect and IPsec and offers advice on which one might be the better choice for your environment.

It doesn't take a genius to figure out that the new sweet spot for Cisco Systems is licensing. This is a huge revenue stream for them and they have certainly capitalized on it. Take for example, IPsec versus SSL VPN. It seems that anytime VPN comes up these days with Cisco the conversation leans towards AnyConnect. What is AnyConnect? AnyConnect is the SSL VPN that Cisco is pushing these days. Is it better than IPsec? In my opinion, it is, but you may be surprised why. In an article on About.com, I found this statement regarding IPsec VPN:

"The con is that it can be a financial burden to maintain the licenses for the client software and a nightmare for tech support to install and configure the client software on all remote machines - especially if they can't be on site physically to configure the software themselves."

This is where I have to disagree. While there are implications to installing and maintaining an IPsec VPN client, I think the licensing battle goes to SSL VPN. Here is what I'm talking about. When I do a show version on my Cisco ASA, I see the following:

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 750
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5520 VPN Plus license.

You'll notice that in the output I have only two SSL VPN Peers. This is because Cisco makes you license the SSL VPN peers. Also, there are a few different types of SSL VPNs in Cisco's eyes, even though they are all SSL VPN, which is pretty much the same no matter how you slice it and dice it. So here are some differences:

  • There is Clientless SSL VPN where you access a VPN Portal using a standard Web browser and the SSL Capabilities that come with it. This is a nice solution if you have mobile users that do not need a great deal of access or for those that want access to a web type interface that has customized links to resources on the inside. All these resources are of course protected by the SSL tunnel.
  • There is AnyConnect. This is very similar to how an IPsec client would function. Users can have full tunnel access on native application ports, but, this client can be installed automatically by having a user log into the SSL VPN portal. This works even if you do not allow access to the actual portal interface -- a download of the client can still occur.

One thing you'll note is the AnyConnect Essentials option. This is a licensed feature where you can have unlimited AnyConnect SSL VPNs. The catch here is that when you have Essentials you can't use clientless SSL VPN (Web Portal). In fact, you even lose the two free SSL VPN licenses that you get for free with an ASA when you purchase it.

Additionally, Cisco has written AnyConnect clients for the iPhone and iPad. This is again, nothing more than an SSL VPN, but its yet another "feature" that you have to fork out the cash for. Yes, this requires another license.

Bottom line, AnyConnect is the cash cow as far as VPN is concerned and while it may be a better solution with longer lasting support in the log run, the IPsec client is free on the iPad and iPhone and does NOT require additional licensing to use it. If you want to fork out the money then I would get the SSL Licensing, but only if I could afford the AnyConnect Premium so I can do whatever I need to with the ASA. If not, use the IPsec capability and you'll probably be just fine.

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

19 comments
bklapholz
bklapholz

With the list of SKU's provided below, I'm wondering if it possible to: - have the pair of ASA 5510's running in Active/Active, (with or without stateful failover) that are also running the Content Security and Control Security Services Module (CSC-SSM) at a company's main site; AnyConnect (Essentials), & with VPN tunnels from the 5510's to 3 remote branch sites with an ASA 5505 on the other end (1 at each branch office)? If not, what is the most cost effective way to meet these requirements? List of SKU's: ---------------------------------------- 2 x ASA 5510's (CSC-SSM Bundle, Sec+ Add-on, & AnyConnect Essentials VPN) - ASA5510-CSC20-K9 - L-ASA-AC-E-5510 - ASA5510-SEC-PL - CON-SNT-AS1C20K9 3 x ASA 5505's (remote sites) - ASA5505-UL-BUN-K9 - CON-SNT-AS5ULBK9 And as a separate but related follow up - what if the customer wants IPS as well and the following SKU's were tossed in the picture: 1 x ASA 5520 (with Advanced Inspection Module -AIP) - ASA5520-AIP20-K9 - CON-SU1-AS2A20K9

kynov
kynov

And here's an even better solution-- Barracuda SSL VPN. We have/had an IPSEC Cisco VPN Concentrator 3000 for a while and it was such an inconvenience to install the client every time someone got a new laptop or home computer. With the Barracuda unit there are no licensing restrictions and you can do clientless through the browser, or download a client that creates the tunnel where you can use all your other applications. I have no connections to Barracuda Networks, this is just my opinion based off what we were using and what we are now.

Jellimonsta
Jellimonsta

Actually, if you want to use 64Bit OS to get into your Cisco VPN, you will need to use the AnyConnect client. The Essentials license is cheap, and you can put images for Mac, Linux and Windows on your ASA to client downloads. All in all, it is a pretty good solution, even if you have to fork over a little more $.

petedavis
petedavis

Hi Brandon, The list price (prior to discount) for you to support 750 simultaneous AnyConnect users in your environment is $250 (L-ASA-AC-E-5520=) and add another $250 for Mobile (L-ASA-AC-M-5520=). While it is true that Cisco requires additional licenses for AnyConnect and Mobile, we have worked very hard to ensure that the prices charged are nominal. Feel free to reach out to us at any time to receive clarification or discuss at ac-mobile-license-request AT cisco.com. Best Regards, Pete Davis Product Manager Cisco Systems, Inc.

robo_dev
robo_dev

and my opinion is that openVPN is awesome.

Jellimonsta
Jellimonsta

If someone has already replaced an edge firewall device (PIX or otherwise) with an ASA 5520, all they need is the $250 license for AnyConnect Essentials and they have VPN for up to 750 users. The AnyConnect client can be downloaded automatically so there is no need for someone to manually install the client on a remote system. We started using it here about a year ago, and I am pretty happy with it.

djdawson
djdawson

This used to be true, but Cisco does now have a version of their IPSec client for 64-bit versions of Windows. It's not always available in the latest version, but if you go back a version in the software download page you should see it.

christelles
christelles

Hi I am running a Window server 2008 in the cloud and need to connect using IPSEC to a server that is configured with CISCO ASA 5540. What vpn client would be compatible? How to get access to it? What is the price? We are a small company specialized in mobile applications. You are talking in this thread about AnyConnect essentials. Is that a hardware or software solution? Thanks Christelle

n14nguyen
n14nguyen

Can I use the 2 free SSL vnp licenses for create the vpn connection of the iphone and ipad? I have the ASA 5510 with ios ver 8.3 and only system admin need to vpn to the network for maintenance. Regards, Nelson

RTG05
RTG05

These licenses that you mention are obviously the lower cost licenses offered. What are the "environment" licenses good for? The mobile licenses are explanitory. Would you also like to share the cost of L-ASA-SSL-50= and the steps up to 250 or even the 750 that are mentioned? What are the cost of these licenses should you want to keep your ASA's in Active/Active configuration? I guess "nominal" depends on the perspective. From the perspective of an end-user, these 'nominal' charges are causing me to consider alternative solutions than Cisco. Sincerely, Former Cisco Advocate

DevITIS
DevITIS

Interesting read. Anyone ever used OpenVPN? Who can say how it would compare versus say, IPsec? I haven't heard of IPsec before this article because my school uses AnyConnect, but from what I've read on OpenVPN it seems to be a rather powerful VPN as well, especially for the price (free).

rjluvkc
rjluvkc

Are you saying for 250 bucks we get a 750 user license for AnyConnect? Also, does it still allow site to site tunnels unlimited or is their licensing for that now?

sherry
sherry

Can someone tell me how to configure more than 2 SSL VPN peers when I have licensed L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users) My console shows License Information: IPsec : 750 Configured : 750 Active : 0 Load : 0% SSL VPN : 750 Configured : 2 Active : 0 Load : 0% I can only connect 2 anyconnect clients at a time. do I need to purchase something in addition to Anyconnect Essentials?

kynov
kynov

Yes, thats true I guess. We are still rocking an EOL PIX 515e.

Jellimonsta
Jellimonsta

I haven't looked for an IPSec client for about a year or so, and verbiage I was reading then said Cisco had no plans on writing a 64Bit client any time soon. Hence we went with AnyConnect. However, the fact that I don't need to mess around with installing clients on remote systems, and they can pull from the webpage, is a real nice plus. :)

robo_dev
robo_dev

For several years now. It is totally completely awesome. Note that Barracuda basically took that code, added about 50 features to it and made it into their product. For an enterprise, I would go with either the Cisco ASA SSL VPN or the Barracuda product. For personal or small business, the OpenVPN solution would be ideal.

philip.richardson
philip.richardson

Assuming you've bought the AnyConnect Essentials, licensed it and applied the relevant activation key, then you might want to try the following, as I think I had this with a customer before too...... I recall something along the lines of: vpn-sessiondb max-webvpn-session-limit 750 vpn-sessiondb max-vpn-session-limit 750 Or, under the group policy/policies for the VPN, you might try: vpn-simultaneous-logins 750 A copy of the show-version may help, as Pete has indicated below. Phil

petedavis
petedavis

Hi Sherri, Please send a copy of 'show version' to 'ac-mobile-license-request AT cisco.com' and we will be glad to help you troubleshoot.