Answer Secure Client Licensing Frequently Asked Questions

Introduction

This document describes the answers to frequently asked Cisco Secure Client licensing questions.

Overview

With Cisco Secure Client 4.x, Cisco introduced a new licensing model. Based on feedback, we found that device based session capacity planning and per appliance license management was a constant guessing game and operational challenge.  Moreover, with the growing number of mobile devices that need VPN connections combined with older ASAs refreshed to newer platforms there were also budget concerns with having to rebuy licenses. To help address these issues, we moved Cisco Secure Client to a total unique user, term-based licensing model. This greatly simplified licensing calculation and consumption in a number of areas.

First, going with a total user count is very much in line with general trend towards enterprise license / seat count model which enterprises can track and manage much better than endpoints. Second, focusing on user vs endpoint removes the variability that comes when the remote end-user has multiple devices connected simultaneously, a common issue with knowledge workers. Third, focusing on total users removes having to guess how many people need service and then having to buy pandemic licenses, which sit idle most of the time. This is also more in line with general business trend of enterprises trying to make employees more productive and thus always connected. Fourth, moving to a term-based model allows budget planning to shift from a bursty CAPEX and ongoing support budget exercise to a more smooth OPEX planning process. Finally, creating a standalone bundled endpoint license separate from the headend gives you choice when selecting different headend platforms and services.  This model allows you to avoid additional license costs when the head end box is swapped out or additional capacity is added or when other services are added (for example Cisco Secure Client Apex investment for VPN services can be leverage along side ISE).

Cisco Cisco Secure Client services continue to be competitively priced and very much in line with Cisco's other software pricing initiatives such as Cisco ONE.

In terms of the actual offers, Cisco Secure Client 4.x collapsed the complex older Cisco Secure Client licensing model down into two simple tiers. The first is Cisco Secure Client Plus, which includes basic VPN services such as device and per-app VPN (including 3rd party IKEv2 Remote Access VPN head-end support), always on, basic device context collection, and FIPS compliance. Cisco Secure Client Plus also includes other non-VPN services such as the Cisco Secure Client Network Access Manager 802.1X supplicant and the Cloud Web Security module. In the 1H of CY 2015 with Cisco Secure Client 4.1, Cisco Secure Client Plus also added AMP for Endpoint distribution capabilities through the AMP Enabler. Existing Cisco Secure Client customers can think of Cisco Secure Client Plus as similar to the discontinued Cisco Secure Client Essentials.The second offer is AnyConenct Apex, which includes more advanced VPN services such as endpoint posture checks, next generation encryption (including Suite B), SAML authentication, and clientless Remote Access VPN as well as all the capabilities of Cisco Secure Client Plus. In the 2H of CY 2015 with Cisco Secure Client 4.2MR1, Cisco Secure Client Apex added the Network Visibility Module, a new endpoint flow based capability that collects user and endpoint behavior on and off premises. Existing Cisco Secure Client customers can think of Cisco Secure Client Apex as similar to the discontinued Cisco Secure Client Premium and Shared. With both Cisco Secure Client Plus and Apex continuing to add additional features and services, the value of Cisco Secure Client term-based offers has and can continue to increase over time.

Please see the Cisco Secure Client Ordering Guide for detailed licensing information.

Q. What factors contributed to the changes to the Cisco Secure Client license models?

A. We have taken into account feedback from customers over many years requesting a simplified licensing model. As such, the new license model eliminates all of the add-on licenses complexity while also allowing for co-existence of license types.The new model provides shared licensing across all options without the need to have hardware in place to enforce licenses and eliminates the requirement to purchase Cisco Secure Client licenses on a per ASA basis (assisting with HW migrations).Moreover, the new model has built-in pandemic support. All term licenses include support and software entitlement, so purchasing these licenses grants you access to the current software releases.

Q. What are the available authorized (user) counts for the new Cisco Secure Client licenses?

A. The Plus and Apex licenses are available via banding-based licenses (L-AC-PLS-LIC= and L-AC-APX-LIC=) that allow you to select a specific user count (for example, 873), a specific term length (for example, 30 months) and start date (for example, term starts on date X, up to 60 days in the future). The price per user per month decreases as the user count increases and/or the term length increases. Whenever possible, this method must be used to order Plus and Apex term licenses instead of the L-AC-PLS-xYR-G/L-AC-APX-xYR-G method. The L-AC-PLS-LIC= and L-AC-APX-LIC= ordering method provides more flexibility for user counts, term duration and simpler renewals.

Q. How is the 4.x conversion being handled for the mobile versions of Cisco Secure Client?

A. Use of Cisco Secure Client on Cisco IOS® & Android without an active Plus, Apex or VPN Only license (term or contract) expired on April 30, 2016. Cisco Secure Client customers with Essentials/Premium and Mobile (discontinued) licenses can no longer use this software. Newer platforms such as Windows Phone 8.1, Windows 10 Mobile, BlackBerry 10, and Google Chrome OS have always required active Plus, Apex or VPN Only licensing.

Q. Can I buy a perpetual Cisco Secure Client license? Can you tell me more about Cisco Secure Client VPN Only and Cisco Secure Client Plus Perpetual?

A. Yes.  Cisco Secure Client Plus is offered as a perpetual license in addition to the 1, 3 or 5 year terms.

Cisco also offers a perpetual VPN-only license. This provides the equivalent functionality of prior Cisco Secure Client Premium plus Advanced Endpoint Assessment plus Mobile plus Phone VPN.

The VPN-only Licenses are designed for VPN only environments that have a large number of potential end users, but very infrequent use (for example, a university with 10,000 students, but with only 100 active users at any one time). With either the Plus Perpetual or VPN-only licenses, you must separately purchase support services, or you are not eligible to access software or tech support.   

Cisco Secure Client VPN Only is licensed based on a single headend device and simultaneous connections (not authorized users). For active/standby pairs, only the primary headend is required to have a VPN Only license. VPN Only licenses are an alternative to the Cisco Secure Client Plus and Apex model. No other Cisco Secure Client function or service (Web Security Module, ISE Posture, Network Visibility, ASA Multi-context VPN, and so on) is available with the Cisco Secure Client VPN Only licenses. VPN Only licenses do support Clientless SSL VPN, third party IPsec IKEv2, Suite B and VPN HostScan with an ASA. The VPN Only licenses cannot be transferred, rehosted, shared, combined, split, or directly upgraded to another VPN Only license size. These licenses do not coexist with Plus or Apex licensing, or any retired Cisco Secure Client licenses.

Both VPN Only and Plus Perpetual licenses require a SWSS contract on all head-ends in order to be eligible for SW access, updates, and techical support.

Q. Are there any additional limitations of the Cisco Secure Client VPN-only licenses?

A. Yes. The Cisco Secure Client VPN-only licenses are concurrent endpoint based versus total active user with Cisco Secure Client Plus and Apex. The VPN-only are applied per individual ASA, and there is no sharing of licenses between ASAs, unlike Cisco Secure Client Plus and Apex, which provide this capability. For active/standby pairs, only the primary headend is required to have a VPN Only license. The VPN-only licenses are not portable, which means that when a new ASA is purchased additional licenses also need to be purchased. VPN-only licenses are not additive, meaning that you cannot start with a set number of licenses (for example, 500 at time x) and then increase capacity over time (for example, add 100 more at time x + y). Nor can they be bought to service burst capacity requirements. As mentioned previously, VPN-only licenses require the purchasing of support services, whereas support is built into the term contracts for Cisco Secure Client Plus and Apex.

Q. How do I determine how many licenses to purchase?

A. The Cisco Secure Client Plus and Apex model is based on total authorized users that can make use of any Cisco Secure Client service, not simultaneous connections (either on a per-ASA or shared basis) and not total active remote access users. As such, you can connect with as many devices as you want as long as you have available hardware capacity and have not exceeded your purchased authorized user count. It is your responsibility to purchase additional authorized user licenses if your usage needs increase. If you currently support 30K simultaneous user connections, but have 50K users who need Cisco Secure Client services, you would be required to buy a 50K license.If you have 100K users who need Cisco Secure Client services, you would be required to buy a 100K license. For unattended environments where there are not really individual users on the other side of a connection, each unattended device is considered a unique user.

Q. How do I know if I need Cisco Secure Client Plus or Apex license?

A. The Plus license provides similar connectivity as was available with the original Essentials license, while the Apex license provides many of the same capabilities from the Premium or Shared license.A full breakdown of features is noted in the Cisco Secure Client Ordering Guide.

Q. What ASA versions are the Cisco Secure Client Plus/Apex licenses compatible with? Can these licenses be used with both the original ASA 5500s and 5550-Xs?

A. There are no restrictions on ASA versions for the Plus/Apex licenses. Any ASA capable of supporting Cisco Secure Client supports the new license model. Certain features, that is per application VPN require newer ASA versions/HW. The licenses are compatible with both original and current ASA models. PAK registration is specific to the ASA 5500/5500-X, and does not happen for the ASAv, Firepower or Cisco ISR / ASR / CSR 1000V VPN head-ends; however, the contract registration still needs to be completed in order to enable software download access and receive tech support.

Q. What license is needed to enable IKEv2 VPN from 3rd party VPN clients to the ASA?

A. The Cisco Secure Client Plus license is required for third party IKEv2 VPN client support. This is similar to how Cisco Secure Client Apex is required for clientless support. Cisco Secure Client Apex, which includes all Plus functionality, can also be used to enable IKEv2 VPN from 3rd party VPN clients.

Q. How many Cisco Secure Client Plus licenses are needed when standards-based IKEv2 Remote Access VPN access is utilized on the ASA or Apex licenses when access to the ASA is clientless?

A. The Cisco Secure Client Plus or Apex users license count needs to service the total unique users utilizing Cisco Secure Client, Third party IKEv2 access, or clientless services (be they active on the network or not).

Q. How many ASAs can I use with my Cisco Secure Client Plus or Apex license?

A. You are eligible to use a Plus or Apex license with as many ASAs as you own during your license term as long as you do not need exceed your purchased authorized user license. Upon purchasing either license option, a Product Activation Key (PAK) is provided, which is used to unlock these services on multiple ASAs. Plus / Apex licenses are not locked to a single ASA as the Essentials or Premium / Shared licenses were.

Q. How do I order Cisco Secure Client Plus or Apex with the ASA as the headend?

A. Cisco Secure Client Plus or Apex license(s) are ordered separately from the head-end. Cisco Secure Client Plus or Apex licenses are not tied to a specific ASA / head-end but rather to your overall deployment. The most cost effective way to purchase a license is to cover your entire deployment. That said, Cisco Secure Client Plus and Apex can eventually be an optional item under certain ASA bundles along side other security subscriptions. Please refer to the Cisco Secure Client ordering guide for additional details.

Q. How do I order Cisco Secure Client licenses for multiple independent customers?

A. It is important to order each license for a separate customer as its own line item, preferably as its own unique Sales Order so that the end user customer information is correctly recorded, and that that support services can be entitled correctly. If you order multiple quantities for either the top or second level Cisco Secure Client PIDs during the ordering process, you can receive entitlement for what you purchased but it does not generate additional Product Activation Keys. If your intenention is to order for different customers, you must be ordering for each customer as their own separate order. Minimally, you must order each license as its own unique top level line item, not by increasing the quantity for one single shared line item. For example, if ordering an Cisco Secure Client Plus Perpetual License, you would not order: L-AC-PLS-P-G Qty:2 or specify quantity 2 on the next level down, instead you would place two separate line orders, both for L-AC-PLS-G with Qty: 1.

Q. How many ISE deployments can I use with my Cisco Secure Client Plus or Apex license?

A. A Cisco Secure Client Plus or Apex license(s) can be used across any number of ISE appliances or deployments as long as you do not need exceed the authorized user license count. Purchasing either license option along side ISE does not require any PAK file registration or loading into ISE (Cisco Secure Client's PAK files only get applied to the ASA). So in an ISE deployment, Cisco Secure Client Plus and Apex licenses are just a right to use license.

Q. Can Cisco Secure Client Hosts/Posture be used without Cisco ISE?

A. Yes. Cisco Secure Client 4.x still supports Hostscan functionality for VPN only posture with the Cisco ASA. AnyConect 4.x also has a unified posture agent that works across wired, wireless, and VPN, but this requires ISE 1.3 or greater. An Cisco Secure Client Apex license is required for both options.

Q. Is a Cisco Cisco Secure Client Plus license required with a Cisco ISE Plus license?

A. No. However, using a Cisco Cisco Secure Client Plus license with Cisco ISE Plus enables the collecting and sharing of endpoint context for VPN uses cases. Cisco Cisco Secure Client Plus license works with the Cisco ISE Base license, but the detailed endpoint information cannot be collected.

Q. What are the different services enabled by Cisco ISE Apex as opposed to Cisco ISE Apex with Cisco Cisco Secure Client Apex?

A. Cisco ISE Apex is the license tier to enable compliance context collection and the use of that information as authorization attributes within ISE policies. For example, using a third-party MDM/EMM platform to detect and control access based on PIN lock status and jailbreak status requires a Cisco ISE Apex license. The Cisco ISE Apex license count required in this use case is the maximum number of potential concurrent MDM/EMM enrolled mobile endpoints active on the network and controlled by Cisco ISE, and not every MDM/EMM enrolled endpoint. Cisco ISE Apex with Cisco Secure Client Apex enables Cisco Secure Client as the unified agent for PC compliance along with all the additional value-added Cisco Cisco Secure Client services such as always on, trusted network detection, and so on. As in the previous example, the Cisco ISE Apex license count would be for the maximum number of concurrent sessions where Cisco Cisco Secure Client acts as the unified agent in the Cisco ISE deployment for posture, and so on, and not, necessarily, every endpoint that can be running Cisco Secure Client. The number of Cisco Cisco Secure Client Apex licenses needed is based on all the possible unique users that can use Cisco Cisco Secure Client Apex services and not each and every device running Cisco Cisco Secure Client. Cisco Secure Client Plus and Apex fall under a separate user-based license structure, which is different from the Cisco ISE endpoint session-based license structure.

Q. I am using Cisco Secure Client for a non-VPN service or a Cisco IOS® head-end. What licenses do I need to purchase?

A. License requirements are determined by head-end used, and the services available in that head end. For example, Cisco Secure Client Plus is required for VPN service to Cisco IOS® head-ends though you could also use Cisco Secure Client Apex. To use Cisco Secure Client's posture capabilities with ISE 1.3, you must order Cisco Secure Client Apex as well as ISE Apex. For other use cases including Network Access Manager, Cisco Cloud Web Security (CWS), and so on. you must have Cisco Secure Client Plus, but again they could also use Cisco Secure Client Apex. CiscoIOS head-ends must also have a Security License before Cisco Secure Client services can be used.  Cisco Secure Client is compatible with ISR G2, CSR 1000V and ASR 1000 platforms.  Available features varies by platform.

Note: The physical Product Activation Key (PAK) registration on the Cisco licensing portal is only applicable to the ASA. For ASAv and Cisco IOS head-ends as well as non-VPN use cases, store the PAK in a safe place as proof or purchase. You still need to complete Contract registration for SW Center access and TAC support.

Q. What is the minimum OS version required for the ISR G2 or CSR 1000v to support Cisco Secure Client?

A. ISR G2 – Cisco IOS 15.0(1)M, CSR1000v – Cisco IOS XE 3.12 S.

Q. Can Cisco Secure Client Plus or Apex licenses be shared between ASA and Cisco IOS VPN environments?

A. Yes, as long as the authorized user count is not exceeded and the license is only used during the purchased term, the license can be used with any headend covered by the license. PAK registration does not apply to non-ASA headends.

Q. I am only using Network Access Manager. What licenses are required?

A. Network Access Manager capabilities require a Plus or Apex license per authorized (unique) user.

Q. How do I order Cisco Secure Client Plus or Apex licenses with any other headend or service?

A. Cisco Secure Client Plus or Apex license(s) must be ordered separately for other headend or services outside of the ASA.

Q. Can I order the Cisco Secure Client Network Visibility Module standalone?

A. No. The Network Visibility Module is only available in the Cisco Secure Client Apex licenses. 

Note: The Network Visibility modules makes use of Cisco Secure Client’s trusted network detection function in the VPN module, but excluding this capability, it can function without other Cisco Secure Client modules.

Q. Can I mix and match Cisco Secure Client Plus and Apex, or is it one or the other. And do Plus and Apex remove the need for Shared and Flex licenses?

A. Yes. Cisco Secure Client Plus and Apex licenses can be mixed within the same deployment. Cisco Secure Client Plus and Apex both provide the same cross deployment capabiltiies as the discontinued Shared licenses. Cisco Secure Client Plus and Apex are licensed based on the total users for the specific Cisco Secure Client service used, so no matter how often they connect, nor how many devices they use, the new Cisco Secure Client Plus and Apex licenses remove the need for Flex (Business continuity) licenses.

Q. Can I mix and match Cisco Secure Client Plus, VPN or VPN Only licenses with older Essentials or Premium licenses?

A. No. Discontinued Essentials or Premium licenses do not co-exist on the same hardware as newer Plus, Apex or VPN Only licenses. Additionally, VPN Only licenses do not co-exist on the same hardware with Plus or Apex licenses.

Q. Does ASAv support remote access utilizing Cisco Secure Client Plus and Apex licenses?

A. Yes. But please note that ASAv, which utilizes Cisco Smart Licensing, does not require any Cisco Secure Client license to be physically applied to the actual platform. The same licenses must still be purchased and you must still link the Contract number to your Cisco.com ID for SW Center access and tech support.

Q. What licensing does an Cisco Secure Client VPN connection from a Cisco IP phone require?

A. Cisco Secure Client Plus (or Apex). Previously, Phone VPN required both a Premium license AND a Phone VPN license. 

Note: This is for VPN Phone and NOT UC Proxy. UC Proxy licenses are not related to Cisco Secure Client licenses.

Q. Why does a part expand 99999 times when I buy an Cisco Secure Client Plus perpetual or non-banding Cisco Secure Client Plus or Apex license?

A. This is normal. These parts expand to allow you to register your Cisco Secure Client Plus or Apex license to all of your ASA serial numbers. This expansion SKU is not applicable to the newer banding-based Plus (L-AC-PLS-LIC=) or Apex (L-AC-APX-LIC=) SKUs or the VPN Only SKUs (L-AC-VPNO-xxxx=). See the Cisco Secure Client Ordering Guide for details on license registration per SKU type.

Q. How do the new licenses work with the ASA?

A. You can receive a multi-use product activation key per Plus or Apex license purchased. This multi-use product activation key gets activated on each ASA at Cisco Software Central. After activating the key, the ASA is unlocked for its maximum hardware capacity. Complying with the unique/authorized user counts and term limits are honor system and are not physically enforced by the ASA or Cisco Secure Client. If you purchase more than one Apex license, or a Plus and Apex license, you need to register each PAK to each ASA, although doing so does not change the resulting license key generated for the ASA. This is to ensure that if you open up a support case in the future, that there is a record of your license purchase,.

Warning: It is important that you DO NOT select to register all quantity on the license tool, or you can deactivate your product activation key. By default, the Cisco licensing site cannot let you do this, but if you have a pop-up blocker enabled, this function is not enforced.

Q. What happens if I lose my Product Activation Key (PAK)?

A. The Product Activation Key (PAK) must be treated like cash. If you lose your product activation key before using it, the only other method we can use to locate it is with the Sales Order #. If you have previously used this PAK to register an ASA, the PAK can be located in the Cisco.com license portal for the user who performed the license registration. Cisco can look up this information based on a serial number used for a prior registration.

Q. I purchased Plus/Apex licenses 5 minutes ago and want to make use of it immediately. How can I do so?

A. The Plus/Apex model requires a Product Activation Key (PAK) to enable an ASA and entitle support/SW access. As such, it is not possible to deliver the ASA license before the Product Activation Key is generated. Visit: Cisco Software Central. Then go to Traditional Licensing and choose Get Other Licenses > Demo and Evaluation > Security Products > Cisco Secure Client Plus/Apex (ASA) Demo License to obtain a one-month temporary ASA license. Licenses cannot be used the second you receive eDelivery notification. It can take up to 24 hours for your license PAK to become active on the License portal.

Q. Why am I receiving a Serial number cannot be blank error message when registering a license?

A. You most likely pasted in a trailing space after your serial number. Remove any additional spaces after your serial number, and resubmit your request. The other cause of this is that you clicked the Add Device button, which is intended to add more than one Serial Number at initial registration, but you did not actually add any other Serial Numbers. For this situation, click the Delete Device button, and submit again without the blank space which is there to add an additional serial number.

Q. How do I access the Cisco Secure Client v4.x Software Center on Cisco.com and receive TAC support entitlement?

A. When you purchase any term Plus or Apex license (or SWSS for Plus perpetual or VPN Only), a contract number can be generated for your purchase. This usually takes at least a few days from the time the license PAK is electronically delivered. Speak with your reseller if you have not received this contract number from them. The contract number needs to be attached to your Cisco.com ID in order to enable SW Center access, and the ability to open a TAC case. We recommend that you link your contract to their Cisco.com ID by mailing web-help-sr@cisco.com with the Contract # and their Cisco.com ID. It is very important that your customer profile address information matches the address information on the contract prior to attempting to link a contract or sending an email. The contract number is not the same as your Product Activation Key (PAK).

Q. What happens with my ASA license key during a RMA?

A. All ASA license keys get stripped during RMA, this is a normal part of the RMA process at Cisco and is not specific to this license. Since the Product Activation Key is multi-use, you do not need a RMA case to initiate a transfer, you just re-register your PAK to your new ASA SN.

Q. How does license expiration work? Does something start counting down once I install a license on my ASA?

A. The countdown is based the same way that all term-based licenses work at Cisco. There is nothing Cisco Secure Client specific as part of this. The contract is set to become active one day after ship (these are electronically delivered licenses). For example, if an order ships on October 25, 2014, the service start date is October 26, 2014.

Q. Can a reboot be required after installing the license key on an ASA?

A. While there is nothing in the new licenses that specifically dictates an ASA reboot, the ASA licensing code has varied over more than a decade on how it behaves when a new license is installed. As such, a reboot can or cannot be required. A lot of this depends on the current license installed, and ASA software version, as certain features do not disappear fully until the device is rebooted. As such, you must plan for reboots to be safe. You can stagger this whenever they want.

Q. Are any special precautions required for converting from Shared licensing?

A. Make sure you replace the licenses on all of the participant devices, and disable shared licensing on those devices before replacing the license on the device currently acting as the shared license server.

Q. Are there any special steps required for converting from Essentials licensing?

A. Your new Plus, Apex or VPN Only license key cannot use the Essentials option.  In order to make use of your new license key, you must disable the Cisco Secure Client-essentials feature on your ASA by issuing a no Cisco Secure Client-essentials under webvpn. When installing your new license key, you can receive a warning that needs to be agreed to telling you that the Essentials key cannot be in the new license you are installing. As long as you have properly disable Cisco Secure Client-essentials on your ASA, you are OK to proceed. Some ASA versions can require a reboot when installing new license key to ensure it is properly activated.

Q. Is there any proactive contract renewal notification? How do I check when my contract ends?

A. Proactive renewal notifications are not currently in place. As such, it is your responsibility to keep track of the expiration date. This is visible in the Sales Order Subscription field or SWSS line item, and at any time by logging in to your Cisco.com linked account to your contract (CSCC), which shows the start and end date for the contract. For banding Plus/Apex SKUs (L-AC-PLS-LIC= and L-AC-APX-LIC=), you can also receive your license expiration date in your license registration email, and the expiration date can be visible inside of your Cisco license portal when viewing your registered licenses.  

Note: You are not able to determine your Cisco Secure Client license tier, authorized user count, or expiration date from the show version command of a head-end.

Q. Can there be changes to proactive contract renewal notification?

A. We are investigating enhancements in this area.

Q. What happens to my older Cisco Secure Client licenses when I install the new licenses?

A. All older Cisco Secure Client licenses can be removed and replaced by the new licensing model when you install your new Product Activation Key (PAK).

Q. What part do I buy at renewal? How is the license handled on an ASA?

A. Renewals shoule be handled using the L-AC-PLS-LIC= (Cisco Secure Client Plus) and L-AC-APX-LIC= (Cisco Secure Client Apex) SKUs regardless of which SKU the original order was placed under. For both initial purchases and renewals, you must complete ASA device registration and share function with all ASAs. For renewals, you do not do anything with the license key that can be emailed to you after that (there is no requirement to re-install a different license key on the ASA at renewal time).

Q. Can I purchase/renew Cisco Secure Client Plus or Apex licenses via the Cisco Service Contract Center (CSCC)?

A. Banding Cisco Secure Client Plus (L-AC-PLS-LIC=) and Apex (L-AC-APX-LIC=) licenses can be renewed via CSCC, and are purchased via Cisco.com Cisco Commerce, Block-based Plus, or Apex SKUs are renewed/purchased exclusively via Cisco.com Cisco Commerce. Speak with your Cisco authorized reseller, or Cisco account team, for assistance purchasing or renewing a license. To simplify renewals, you must always use the banding SKUs going forward for both new purchases and renewals.

Q. Am I required to upgrade to Cisco Secure Client 4.x?

A. You are not required to adopt Cisco Secure Client 4.x as part of moving to the new licensing. However, Cisco Secure Client 3.x is already End-Of-Life (no additional fixes can be provided). If you do not upgrade to an Cisco Secure Client Plus or Apex licenses, you cannot have access to newer Cisco Secure Client versions. The Plus or Apex licensing does not require you to upgrade your Cisco Secure Client software at the same time.

Q. What does PAK/s or Token/s xxxxxxx is / are either Invalid or Inactive mean when attempting to register a license on Cisco Software Central

A. Once a license PAK is generated, it can take up to 24 hours after the eDelivery license is delivered before the Product Activation Key (PAK) can be registered on the licensing portal. This message is what can be displayed when attempting to register a PAK which is not yet able to be registered. If more than 24 hours have passed since your license was eDelivered, and you are still receiving this error, open up a case with Cisco Global Licensing (GLO) by using the Support Case Manager (SCM). Then choose Software Licensing > Security Related Licensing > Cisco Secure Client.

Q. When were the new Cisco Secure Client licenses available for purchase?

A. Fall 2014.  The Cisco Secure Client Plus and Apex banding SKUs and VPN Only SKUs are available for purchase as of April 2016.

Q. When were the original Cisco Secure Client/VPN SKUs phased out?

A. The phase out began January 2015, and completed as of August 31, 2015. These older licenses can no longer be purchased.

Q. How do I receive a trial Cisco Secure Client Apex license for my ASA?

A. Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation license, visit: Cisco Software Central. Then navigate to Traditional Licensing and choose Get Other Licenses > Demo and Evaluation > Security Products > Cisco Secure Client Plus/Apex (ASA) Demo License.  

Note: The license unlocks the ASA functions, but does not grant access to the Cisco Secure Client Windows/Mac OS X/Linux software. Mobile versions of Cisco Secure Client can be accessed via the Application store for the specific OS, and can be trialed in conjunction with an evaluation license.

Q. I installed my new license on my ASA but received a scary warning that certain features can be disabled.

A. As long as the license features you were emailed are correctly displayed, this message can be safely ignored. Say yes, write the key to memory, and reboot the ASA to complete the license installation. The ASA is not able to properly validate the features available in the key in some scenarios prior to rebooting. If the correct features are not displayed in your Cisco licensing email, open up a case with Global Licensing (GLO), through the Support Case Manager (SCM), then choose Software Licensing > Security Related Licensing > Cisco Secure Client, to resolve this prior to installing the key.

Q. Where can I find the Cisco Secure Client Supplemental End User License and Privacy Policy?

A. The licensing terms and conditions are listed in the Supplemental End User Agreement (SEULA). The Cisco Cisco Secure Client privacy policy can be found at: Cisco Online Privacy Statement Summary

Q. What is the U.S. export classification for Cisco Secure Client?

A.Commodity Classification Automated Tracking System (CCATS): Self-classified / Mass Market

   US Export Control Classification Number (ECCN 5D992

   US Encryption Registration Number  (ERN R104011

   French ANSSI declaration approval #: 1211725

   Details available at: Public Export Product Data

Q. Can I use Cisco Secure Client to make VPN connections with non-Cisco VPN head-ends?

A. No, Cisco Secure Client's VPN services can only be used with appropriately licensed Cisco equipment. Use of Cisco Secure Client with non-Cisco VPN equipment is strictly prohibited by our license agreement.

Q. Where can I learn more about the new licenses?

A. More information is available at this link Cisco Secure Client Ordering Guide

Q. My Cisco Secure Client licensing question was not answered in this FAQ or in the Ordering Guide. Who can help answer my question?

A. Please mail your question to Cisco Secure Client-pricing@cisco.com.

Q. How do I register my Cisco Secure Client license for use with Firepower Threat Defense (FTD) OS 6.2.1 and later?

A. In order to utilize Cisco Secure Client with FTD 6.2.1 and later, open up a case with Cisco Global Licensing (GLO) using the Support Case Manager (SCM). Then choose Software Licensing > Security Related Licensing > Cisco Secure Client. Once you supply the required information, and your entitlement is validated, your license entitlement in your Smart account can be popluated.

Q. Can you please walk me through the initial license registration process for an Cisco Secure Client Plus or Apex License (L-AC-PLS-LIC= or L-AC-APX-LIC= only)?

A.

To register your Cisco Secure Client Plus/Apex License (L-AC-PLS-LIC= or L-AC-APX-LIC=), start on the Cisco License Registration Portal Cisco Software Central, then go to the correct licensing type, Smart Licenses or Traditional Licenses.

Note: You need to log in with your Cisco.com ID.

After entering your PAK, click the Fulfill button. If you have just received your product activation key, allow up to 4 hours for the key to be registered. If you try to register too soon, you can receive thefollowingerror message: PAK/s or Token/s xxxxxxx is / are either Invalid or Inactive.

Do not open a Licensing Case for this error message unless you have waited at least 24 hours after receiving your Product Activation Key. The License team cannot assist you with license registration prior to the PAK becoming fully activated for use.

If you currently share licenses inside of your organization under a Smart Account, choose this account prior to clicking Next. This screen can tell you the specific license you are registering, the total number of authorized users you purchased (Quantity), and the License start and end dates.

In the ASA Serial number field, enter your ASA serial number. This serial number MUST be obtained by using show version. ASA 5500-X models have multiple serial numbers and it is important that you use the correct one or the key cannot function. If for some reason you have incorrectly entered the key, you can use the Sharing Process described to share from the incorrect Serial Number to the correct one, but you can save a lot of time doing this correctly the first time.  For ASAv and non-ASA head-ends, this PAK registration process is not applicable. You can still link your Contract number to your Cisco.com ID for software access and technical support.

If you have more than one ASA, and you want to register licenses to those devices up front, you can do so by clicking the Add Device button. You can add additional ASAs later using the Share instructions listed.

You must now confirm your email address. Optionally, you can choose additional individuals to receive the license key notification. After doing so, you must then select that you agree with the license terms and click Submit.

You can receive a pop-up with License Request Status information. Check your email for the license. If you do not receive the email promptly, check your Spam folder.

This is a sample email with your initial license key. The key itself is in the Product Authorization Key section. The Serial number displayed must be the same serial number as show version on your ASA reports, or you cannot install the key.

Q. Can you please walk me through the license sharing process for an Cisco Secure Client Plus or Apex License (L-AC-PLS-LIC= or L-AC-APX-LIC= only)?

A.

License Sharing (adding additional ASAs that share this license).

To share to another ASA, return the Cisco License Registration Portal at Cisco Software Central, then choose Traditional or Smart Licenses, as required. Choose Get Other Licenses - Share License Process – Get Activation Codes. Once you receive your activation code via email, you can return back to this same page and choose the Use Activation Codes option. You need to repeat this process for each additional ASA you wish to share with. If you have multiple product activation keys for different user counts, terms or tiers, it is recommended to register all licenses first to the initial serial number, as it can make the subsequent sharing process easier since you are able to share all available licenses at once.

Note: This process must be done using the Cisco.com ID that registered the original Product Activation Key. If this employee is no longer with your company, you need to open up a ticket with Cisco Global Licensing for further assistance. Choose the Contact Us option on the License Registration Portal for further instructions on opening a licensing support case.

You need to choose the ASA serial number that currently has the license you wish to share, and the additional serial number. This serial number MUST match what is displayed under show version for this license to function.

This is a sample email you receive with your Activation Code. If you do not receive this email promptly, check your Spam Folder.

Use the link in the email, and choose Get Other Licenses - Share License Process – Get Activation Codes.

Choose all licenses you wish to share with this additional serial number. Confirm that both the source and target serial numbers are the correct serial numbers from show version. If not, you need to start the sharing process again with the correct serial numbers.

Confirm your email address, and enter any additional email addresses for the license to be sent to. Check the box to agree with the terms and click Get License.

Your new license can be emailed promptly. If you do not receive the email, check your Spam folder. Your additional license can be found inside of the ZIP attachment.