The picture below should be self-explaining. Click it for a larger version.
Edit 2014: There was some errors in the logics around AEA-licenses. The picture below is now corrected. Please do not use the old version (v1.1).
Let me explain this.
First of all, Advanced Endpoint Assessment (AEA) is a feature where you can do advanced posture checks and remediations with AnyConnect. AEA can check if your antivirus is enabled, and if not enable it, verify if the clients software firewall is installed and enabled and other advanced remediation thingies. I have never used it and if you are not certanly sure you don´t need this license. But if you do you need to continue on the Anyconnect Premium track. No Essentials license for you, my friend.
So. The big question is: Premium licenses or Essentials? The big (simplified) answer is: do you want to use the “clientless” portal? This requires premium licenses and cannot be used if you have “anyconnect essentials” configured (which in turn require the essentials license, see below).
So, let´s say that you need premium licenses. These comes in chunks of concurrent users from 2 to 10, 25, 50 and so on. These are not additative. If you have 2 you can go to the fixed steps of 10, 25, 50 and so on. If you have 25 you can go to 50, 100, 250 et cetera. Each combination of number of license you HAVE and the number of license you WANT have a specific product number. One from 10 to 25, one from 10 to 50, one from 25 to 50 and so on. Messy? Indeed.
The cheaper track is the essentials-licens. You unlock your firewall to unlimited(*) number of concurrent vpn client with one single license. It is cheaper and easier but comes with a few downsides: If you use essentials you cannot do the portal-thingie. And you can not use AEA (which is probably not an issue, see above).
If you wanna use essentials you add the license, AND you do not forget to add the command “webvpn -> anyconnect-essentials” to enable essentials. This command cannot be entered without the license and when essentials is enabled the firewall doesnt care if there are premium licenses installed or not.
On the other hand, if you use premium licenses, you must (except for adding the licenses of course) disable essentials (webvpn -> no anyconnect-essentials). The essentials license (if it exists) will stay there but for no use and good.
So, can it be even more complicated? You bet! No matter what selections you have done above you cannot use anyconnect in your mobile device (iOS, Android). Why? Because Cisco wants to sell “Anyconnect Mobile” licenses. Don´t worry, they are cheap. But you need to add this if you want mobile clients. It is a binary one-timer. You add one mobile-license and you can also use mobile vpn clients.
So, let´s have a look at a few examples:
Example 1: We have an ASA5510 on which we want to connect numerous of anyconnect clients. We don´t care about the portal, but we want to use mobile clients. We add these licenses:
- one L-ASA-AC-E-5510=
- one L-ASA-AC-M-5510=
The 5510 platform can handle 250 concurrent vpn sessions. This means that the licenses above allows us to use 250 concurrent connected vpn-clients, and among them there can be any number of mobile clients. (Dont forget to enable essentials in the config!)
Example 2: An ASA5520 on which we want to use the clientless portal as well as anyconnect clients up to a number of 45 concurrent sessions. We add this license:
- One L-ASA5500-SSL50
Now we had raised the number of concurrent vpn-sessions from the built-in 2 to 50. Since it is premium licenses any of these 50 sessions can be clientless portal users.
Example 2b: We want to raise the number of concurrent users from 50 to 100. We also want to allow iPhone-devices to connect with AnyConnect. We add these licenses:
- One L-ASA-SSL-50-100=
- One L-ASA-AC-M-5520=
Sounds complicated? Only the first 20 times you need to understand the licensing model. And everytime Cisco changes it. Which happens.