Demystifying Cisco AnyConnect 4.x Licensing. Plus, Plus Perpetual, Apex & Migration Licenses for Cisco IOS Routers & ASA Firewalls (5500/5500-X Series). Supported Operating Systems & Ordering Guide

In late 2014, Cisco announced the new licensing model for the latest AnyConnect Secure Mobility client v4.x. With this new version, Cisco introduced a number of new features, but also simplified the licensing model which was somewhat confusing. In this article, we will take a look at the new AnyConnect 4.x licenses which consist of: AnyConnect Plus license, AnyConnect Plus Perpetual license and AnyConnect Apex license.
 
We will also show how the new licenses map to the older AnyConnect Essentials and AnyConnect Premium license, plus the available migration paths. Finally, we also take a look at Cisco’s Software Application Support (SAS) and Software Application Support plus Upgrade (SASU), which are required when purchasing AnyConnect.

All AnyConnect licenses prior to version 4 had the AnyConnect Essentials and Premium licensing scheme. The newer v4.x AnyConnect licenses now have one of the three licensing options:

• Cisco AnyConnect Plus License (Subscription Based)
• Cisco AnyConnect Plus Perpetual License (Permanent – no subscription)
• Cisco AnyConnect Apex License (Subscription Based)

With the new AnyConnect licenses, Cisco has moved to a subscription-based licensing model which means customers will unfortunately need to fork out more money in the long run.  The Plus Perpetual License on the other hand allows Cisco customers to purchase a one-time license, however the license costs significantly higher than the subscription-based license.

We should also note that AnyConnect 4.0 is not licensed based on simultaneous connections (like the previous AnyConnect 3.x), but is now user-based. This means a user connecting via his smartphone and laptop simultaneously will only occupy a single license.

Since the newer AnyConnect licenses are subscription-based, according to Cisco, if their subscription expires and is not renewed, they will stop working.
 
Cisco AnyConnect Secure Mobility Client 4.0 supports the following operating systems:

• Windows 8.1 (32bit & 64Bit)
• Windows 8 (32bit & 64Bit)
• Windows 7 (32bit & 64Bit)
• Linux Ubuntu 12.X 64Bit
• Linux RedHat 6 64Bit
• Mac OS X 10.10 – 10.8

As expected, Windows XP is no longer supported.

Let’s take a look at each license feature and how the older AnyConnect Essentials and Premium licenses map to the newer AnyConnect Plus and Apex licenses:

Figure 1. Mapping AnyConnect 3.x Essentials & Premium to AnyConnect 4.x Plus & Apex

Related AnyConnect Articles on Firewall.cx:

• Configuring Cisco SSL VPN AnyConnect 3.x (WebVPN) on Cisco IOS Routers
• WEB SSL VPN - The Next Wave Of Secure VPN Services

Cisco AnyConnect Plus License (Old Essentials License) 5, 3 or 1-Year Term

The AnyConnect Plus License is a subscription-based license with the option of a 5, 3 or 1-year renewable subscription and supports the following features:

• VPN Support for Devices. Includes Workstations and Laptops.
• Secure Mobility Client support (AnyConnect Mobile). Includes mobile phones, tablets etc.
• SSL VPN (Client-based)
• Per-app VPN. Authorize specific applications access the VPN.  Supports specific devices and software.
• Basic endpoint context collection
• IEEE 802.1X Windows supplicant
• Cisco Cloud Web Security agent for Windows & Mac OS X platforms
• Cloud Web Security and Web Security Appliance support
• Cisco Advanced Malware Protection for Endpoints Enabler. AMP for Endpoints is licensed separately
• Network Access Manager
• Federal Information Processing Standards (FIPS) Compliance

It is worth noting that AnyConnect 3.x required the purchase of Essentials or Premium license + AnyConnect Mobile (L-ASA-AC-M-55xx) in order to support mobile devices (Smartphones, Tablets etc.).  AnyConnect Mobile is now integrated into the new AnyConnect Plus license.

Cisco AnyConnect Plus Perpetual (permanent) License

The AnyConnect Plus Perpetual license supports the same features as the Plus license above, but with the difference that it is a permanent license.
 
The customer purchases it once and does not have any subscription services, however it is still required to purchase a software application support plus upgrade (SASU) contract. This is covered in detail at the end of this article.

Customers considering the Plus Perpetual license should compare costs with the subscription-based license to see if it is worth going down that path.

Cisco AnyConnect Apex License (Old Premium License)

The AnyConnect Apex License includes all offerings in the AnyConnect Plus license plus the following:

• All AnyConnect Plus features
• Clientless (browser-based) VPN Termination on the Cisco ASA Firewall appliance
• VPN compliance and posture agent in conjunction with the Cisco ASA Firewall appliance
• Unified compliance and posture agent in conjunction with the Cisco Identity Services Engine (ISE) 1.3 or later
• Support for stronger Next-generation encryption (Suite B)

The AnyConnect Apex license is only available as a subscription-based license. There is no perpetual license available.
 
The Next Generation Suite B encryption supports the following stronger encryption standards:

• Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits.
• Elliptic Curve Digital Signature Algorithm (ECDSA) — digital signatures
• Elliptic Curve Diffie–Hellman (ECDH) — key exchange agreement
• Secure Hash Algorithm 2 (SHA-256 and SHA-384) — message digest

Purchasing AnyConnect Licenses & Important Notes – Understand SAS & SASU For AnyConnect

While AnyConnect licensing has been simplified, there are still a few important areas we must be aware of to avoid licensing and future upgrade issues.

Before we dive in, we need to clarify what Software Application Support (SAS) and Software Application Support plus Upgrade (SASU) is because they are required with AnyConnect licenses:

SAS:  Provides access to Cisco’s latest software application updates (e.g AnyConnect, VPN Client software). SAS also includes minor release updates (e.g. AnyConnect 4.0 to 4.1 upgrade) and 24-hour technical assistance from Cisco TAC (Only for the specific software/application) and unrestricted access to online tools.

SASU: Includes everything provided in SAS, plus major upgrade release of the software e.g from AnyConnect 4.x to AnyConnect 5.x (when available).

When purchasing AnyConnect Plus or AnyConnect Apex subscription-based licenses, SASU is already included and is not required to be purchased separately.
 
When purchasing AnyConnect Plus Perpetual licenses, SASU must be purchased.  To do so, you need to order the following:

1. Order the Cisco AnyConnect Plus Perpetual License (L-AC-PLS-P-G) which has no cost ($0)
2. Add the User License required e.g Cisco AnyConnect Plus - Perpetual License/25 users (AC-PLS-P-25-S)
3. Add the SASU product for the selected User License (AC-PLS-P-25-S). In our example the SASU product will be CON-SAU-ACPL25. It is also necessary to specify the duration of the contract (1 – 60 months). The longer the duration, the larger the cost.

Full product ID’s for AnyConnect Plus, Plus Perpetual and Apex licenses along with all subscriptions and SASU products are available in the Cisco AnyConnect Ordering Guide freely available from our Cisco Product Datasheets & Guides section.

Below we are including a list of the maximum VPN peers/sessions supported by each ASA Firewall appliance to help customers decide the amount of AnyConnect licenses they require:

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Cisco ASA Next Generation Platform (X) VPN Peers / Sessions

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2,500
5555-X = 5,000
5585-X = 10,000

Cisco AnyConnect Plus, AnyConnect Apex Migration Licenses

Cisco customers who purchased AnyConnect Essentials, Premium and Shared Premium licenses prior to March 2 2015, can transition to the new Plus/Apex licenses by ordering the Plus/Apex Migration subscription licenses for 5, 3 or 1-year term.

The last day to purchase AnyConnect Migration licenses is 31st of December 2015.

The AnyConnect Migration license product IDs are available in the Cisco AnyConnect Ordering Guide freely available from our Cisco Product Datasheets & Guides section.

This article explained the new Cisco AnyConnect 4.x licensing model. We analysed the three new simplified licensing options AnyConnect Plus, Plus Perpetual and AnyConnect Apex, including the features each license supports and how they map to the old Essentials and Premium licenses. We covered the operating systems supported by AnyConnect 4.x, ordering product IDs and analysed the SASU services required with AnyConnect Perpetual  licenses, AnyConnect Migration licenses while also noting the maximum VPN sessions supported by all available ASA Firewall appliances.