Cisco AnyConnect vs. IPsec VPN: Licensing considerations

CCIE Brandon Carroll looks at the licensing issues for both Cisco AnyConnect and IPsec and offers advice on which one might be the better choice for your environment.

It doesn't take a genius to figure out that the new sweet spot for Cisco Systems is licensing. This is a huge revenue stream for them and they have certainly capitalized on it. Take for example, IPsec versus SSL VPN. It seems that anytime VPN comes up these days with Cisco the conversation leans towards AnyConnect. What is AnyConnect? AnyConnect is the SSL VPN that Cisco is pushing these days. Is it better than IPsec? In my opinion, it is, but you may be surprised why. In an article on, I found this statement regarding IPsec VPN:

"The con is that it can be a financial burden to maintain the licenses for the client software and a nightmare for tech support to install and configure the client software on all remote machines - especially if they can't be on site physically to configure the software themselves."

This is where I have to disagree. While there are implications to installing and maintaining an IPsec VPN client, I think the licensing battle goes to SSL VPN. Here is what I'm talking about. When I do a show version on my Cisco ASA, I see the following:

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 750
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5520 VPN Plus license.

You'll notice that in the output I have only two SSL VPN Peers. This is because Cisco makes you license the SSL VPN peers. Also, there are a few different types of SSL VPNs in Cisco's eyes, even though they are all SSL VPN, which is pretty much the same no matter how you slice it and dice it. So here are some differences:

  • There is Clientless SSL VPN where you access a VPN Portal using a standard Web browser and the SSL Capabilities that come with it. This is a nice solution if you have mobile users that do not need a great deal of access or for those that want access to a web type interface that has customized links to resources on the inside. All these resources are of course protected by the SSL tunnel.
  • There is AnyConnect. This is very similar to how an IPsec client would function. Users can have full tunnel access on native application ports, but, this client can be installed automatically by having a user log into the SSL VPN portal. This works even if you do not allow access to the actual portal interface -- a download of the client can still occur.

One thing you'll note is the AnyConnect Essentials option. This is a licensed feature where you can have unlimited AnyConnect SSL VPNs. The catch here is that when you have Essentials you can't use clientless SSL VPN (Web Portal). In fact, you even lose the two free SSL VPN licenses that you get for free with an ASA when you purchase it.

Additionally, Cisco has written AnyConnect clients for the iPhone and iPad. This is again, nothing more than an SSL VPN, but its yet another "feature" that you have to fork out the cash for. Yes, this requires another license.

Bottom line, AnyConnect is the cash cow as far as VPN is concerned and while it may be a better solution with longer lasting support in the log run, the IPsec client is free on the iPad and iPhone and does NOT require additional licensing to use it. If you want to fork out the money then I would get the SSL Licensing, but only if I could afford the AnyConnect Premium so I can do whatever I need to with the ASA. If not, use the IPsec capability and you'll probably be just fine.