Cisco AnyConnect license cost?

Can someone give a rough estimate as to how the pricing works with Cisco AnyConnect?

We moved to a MPLS network last year and now use Cisco AnyConnect to the ASA that the ISP hosts however it is limited to 2 simultaneous users.

They mentioned that we could purchase additional licenses but they would need to check on costs etc. Does anyone know how that works and estimate price etc.? Is it per simultaneous user, can you buy user packs etc.?

I guess the iOS App is a separate license again that you have to purchase since whenever we try to use that it shows “No License” in iOS (even with no one connected).

Cisco changed the licensing a couple of years back, from perpetual user bundles to subscription based. It’s licensed on total users, not simultaneous, but it’s not very expensive from my experience. We use the Plus licenses. They give access to the mobile clients as well. Those were provided wit a separate license in the old model.
Check these links:

Take your budget and walk to a solution that respects you. Or just use IPsec to connect to the ASA, which doesn’t cost anything no matter how many users (unless they’ve changed something in the last few years).

VPN is a commodity. OpenVPN has been TLS based for well over a decade now and it’s free. If your architecture requires VPN then you’re going to want to use (or have the option of) Always-On VPN, which is even worse from a per-user licensing point of view.

2 license tiers: Plus (vanilla VPN) and Apex (client posture assessment, client-less VPN, other stuff).

Each one available as 1/3/5 year subscription, plus software update subscription which also must be purchased (I think?)

The hardware and licensing mechanics are still set up for the old system, where you license a box for some amount of concurrent users depending on box size… But under this new model, they let you redeem the license 99,999 times (one redemption for each serial number in your environment)

You have to buy a license for every potential human user in your enterprise, not the hardware capacity you own. So an enterprise with 100,000 employees who could use the VPN would need 100,000 licenses, even if they only owned a single ASA with a hardware capacity of just 25 users.

Conversely, an enterprise with monster ASA boxes everywhere (huge capacity), but a user policy (AD group or whatever) that only allows 5 specific users to VPN in would need just 5 licenses.

It doesn’t matter how many devices the humans have, nor how many times they’ll be logged in. Only the user count. They’re counting named users.

None of it is enforced AFAIK. No matter what license you buy, when you apply it, the entire capacity of the box gets enabled. Just like the old licensing model.

The subscription-based licenses are pretty cheap.

Somewhere along the way, after making this change, they re-introduced perpetual licensing. Crazy money though.

In our case it seems to be simultaneous users? We have maybe 40 users in our VPN Users group on AD (ASA uses RADIUS) but only 2 can connect at once?

Let me get this straight If I’m doing a site-to-site setup and if use IPSec I don’t have to pay any license ???

Btw how many host at the same time can a RV340 CISCO VPN router support??

With no actual licensing purchased, the ASA grants you two concurrent users.

If you need more, you’ll need to purchase a licensing package. It’s like $3-5/user/year depending on your reseller’s discount level.

I think it is only an enforced limit for simultaneous users, but according to the license agreement you need to license all existing users if I remember correctly from when we purchased our licenses. That includes users in external authentication sources like AD, if they are able to connect.
The two included default licenses might be an exception though.

The last time I used an ASA, IPsec required no per-instance licensing of any kind, whether it was site-to-site or client-to-site.

However, Cisco was aggressively pushing customers to use “AnyConnect”, which was licensed per user, and used a different client. As part of that push, they refused to make a 64-bit Windows client for IPsec, which you needed because part of it was a driver, and you can’t use 32-bit Windows drivers on 64-bit Windows.

Not totally true. Cisco still offers perpetual anyconnect licenses based on concurrent sessions.

Thank you for you reply. I have thought on using 3 Cisco RV340 VPN router for a s2s connection, but seen all this CISCO agenda on pushing licenses makes me want to rethink using them all together. In your experience what device would you recommend for setting vpn s2s.

Unfortunately the pricing is pretty ridiculous for perpetual. Not like the pricing prior to 4.X where it was very reasonable to license an ASA for AnyConnect.

Anything can do IPsec, really. At one point I used a lot of Vyatta, which today is forked as VyOS. It’s based on Linux. I’d use VyOS, Linux, or OpenBSD/Pfsense, on some variety of hardware that they support well – x86-64 hardware in all probability, but possibly Ubiquiti MIPS64 if I had the economy of scale to make the extra R&D and reduced familiarity worth it, or it was a personal project.

I used to be quite fond of the ASAs and the PIX line before it was renamed, but that was before the expanded feature licensing. The original PIX were licensed by crypto algorithms, but that was almost entirely for export control, I believe. These are/were just x86 hardware, though. The PIXes were PC-clones, and the little ASA 5505 series were AMD Geode x86 embedded processors if I remember correctly. In fact, I should find out how hard those are to boot another operating system. Re-using old hardware appeals to my sense of efficiency and value.

Thank you, you have been a lot of help.