Cisco adds SSLVPN flex licensing to compete with Juniper’s ICE licensing

I had a great holiday and enjoyed my time off, I hope you all did as well. Now I have to get my head back in the game. Several notable announcements have come out of the Cisco Security group while I was away. The first one I’d like to highlight is a new SSLVPN licensing schema. The wait is over! Cisco now offers a temporary SSLVPN license key that is similar to other vendors, like Juniper’s ICE (in case of emergency) licensing. Cisco calls their new feature flex licensing. Flex licensing allows companies to add additional and temporary SSLVPN licenses to their ASAs at a reduced cost. Use cases would include network outages, storms, seasonal or temporary events, emergencies, pandemics, etc. These licenses expire after 60 days of total use. This means you could use 2 days of your flex license for a snow storm then revert back to your permanent license and still have 58 days left. When the license expires you’ll need to purchase a new one and you cannot combine more than one flex license together. Only one at a time. What happens when a license expires you ask? Well nothing until you reboot the ASA. It will continue to work and relies on the honor system until a reboot at which time the permanent license is restored. Flex licensing is supported on all ASA platforms except the 5505. It is offered in 250, 750, 1000, 2500, 5000 or 10,000 user counts. When you enter in a flex license key the ASA will merge the permanent key with the flex key. It will pick the highest value for each feature. So if your permanent key has a 250 license and your flex has a 750 then the ASA will pick 750 and allow 750 concurrent connections. To enable your flex license you simply enter the activation-key command on the ASA and enter in your flex key. It looks like this


ASA5520(config)# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490
Things to remember are: -Flex licenses are tied to individual devices by serial number. So you’ll need to have one flex license for each ASA you want flex available on. -The flex license continues to count down even if the ASA is turned off. So be sure to revert to the permanent key before an extended shutdown to save your flex days. -Flex licensing required 8.0.4 or 8.1.2 code on the ASA -Flex licensing is meant for a single device or a VPN load-balancing cluster. It is not meant for a SSLVPN ASA Failover pair. For more information see here: http://www.cisco.com/en/US/products/ps6120/products_licensing_information_listing.html So are flex licenses important to your business?

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.