SSL VPN supports the
following types of licenses:
-
Permanent
licenses—No usage period is associated with these licenses. All permanent
licenses are node locked and validated during installation and usage.
-
Evaluation
licenses—These are metered licenses that are valid for a limited period. The
usage period of a license is based on a system clock. The evaluation licenses
are built into the image and are not node locked. The evaluation licenses are
used only when there are no permanent, extension or grace period licenses
available for a feature. An end-user license agreement (EULA) has to be
accepted before using an evaluation license.
-
Extension
licenses—Extension licenses are node-locked metered licenses. These licenses
are installed using the management interfaces on the device. A EULA has to be
accepted as part of installation.
-
Grace-rehost
licenses—Grace period licenses are node locked metered licenses. These licenses
are installed on the device as part of the rehost operation. A EULA has to be
accepted as a part of the rehost operation.
For all the license
types, except the evaluation license, a EULA has to be accepted during the
license installation. This means that all the license types except the
evaluation license are activated after installation. In the case of an
evaluation license, a EULA is presented during an SSL VPN policy configuration
or an SSL VPN profile configuration.
An SSL VPN session
corresponds to a successful login of a user to the SSL VPN service. An SSL VPN
session is created when a valid license is installed and the user credentials
are successfully validated. On a successful user validation, a request is made
to the licensing module to get a seat. An SSL VPN session is created only when
the request is successful. If a valid license is not installed, the SSL VPN
policy configuration and SSL VPN profile configuration can be successful, but
the user cannot log in successfully. When multiple policies and profiles are
configured, the total number of sessions are equal to the total sessions
allowed by the license. A seat count is released when a session is deleted. A
session is deleted because of reasons such as log out by the user, session idle
timeout or Dead Peer Detection (DPD) failure.
 Note |
Rarely a few
sessions which do not have active connections may appear to be consuming
licenses. This typically denotes that this is a transition state and the
session will get expired soon.
|
The same user can
create multiple sessions and for each session a seat count is reserved. The
seat reservation does not happen in the following cases:
When the total active
sessions are equal to the maximum license count of the current active license,
no more new sessions are allowed.
The reserved seat
count or session is released when the following occurs:
-
a user logs out.
-
a DPD failure
happens.
-
a session timeout
occurs.
-
an idle timeout
occurs.
-
a session is
cleared administratively using the
clear webvpn
session command.
-
a user is
disconnected from the tunnel.
-
a profile is
removed even when there are active sessions.
You
can use the
show webvpn
license command to display the available count and the current
usage. To display the current license type and time period left in case of a
nonpermanent license, use the
show license
command. To get information related to license operations, events, and errors,
use the
debug webvpn
license command.
New Cisco IOS SSL VPN
licenses that are generated are cumulative. Therefore the old licenses become
inactive when a new license is applied. For example, when you are upgrading
your license from 10 counts to 20 counts (an increase of 10 counts on the
current 10 counts), Cisco provides a single 20 count license. The old license
for 10 counts is not required when a permanent license for a higher count is
available. However, the old license will exist in an inactive state as there is
no reliable method to clear the old license.
Licensing in
Cisco IOS Release 15.x
Starting in Cisco
IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature
on the Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms.
A license count is associated with each license, and the count indicates the
instances of the feature available for use in the system. In the case of SSL
VPN, a seat refers to the maximum number of sessions allowed at a time.
You can get the
license at
http://www.cisco.com/go/license.
For instructions on
installing a license using Cisco License Manager (CLM), see the
User Guide for
Cisco License Manager, Release 2.2 at
http://www.cisco.com/en/US/docs/net_mgmt/license_manager/lm_2_2/2.2_user_guide/clm_book.html.
For instructions on
installing a license using Cisco CLI, see the “Cisco IOS Software Activation
Tasks and Commands” chapter of the
Software
Activation Configuration Guide at
http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/csa_commands_ps6441_TSD_Products_Configuration_Guide_Chapter.html.
For migrating from
any Cisco IOS 12.4T release to Cisco IOS 15.x release, use the license
migration tool at
https://tools.cisco.com/SWIFT/Licensing/LicenseAdminServlet/migrateLicense.
In Cisco IOS Release
15.1(4)M1 and later releases, a Crypto Export Restrictions Manager (CERM)
license is reserved only after the user logs in. If you have an Integrated
Services Router Generation 2 (ISR G2) router with a CERM license, you must
upgrade to Cisco IOS Release 15.1(4)M1 or later releases. Before Cisco IOS
Release 15.1(4)M1, a CERM license is reserved for every SSL or Transport Layer
Security (TLS) session.