I had to upgrade the image on a Cisco ASA 5525-X firewall and upload the AnyConnect package files that are compatible with the said image. The ASA comes with AnyConnect package that is compatible with the image installed by default. You can verify the AnyConnect package files on the ASA's flash (disk0:) using the dir or show flash (show disk0:) commands.
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
129 -rwx 6487517 19:51:44 Sep 29 2014 anyconnect-macosx-i386-2.5.2014-k9.pkg
130 -rwx 6689498 19:51:44 Sep 29 2014 anyconnect-linux-2.5.2014-k9.pkg
131 -rwx 4678691 19:51:44 Sep 29 2014 anyconnect-win-2.5.2014-k9.pkg
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
8238202880 bytes total (4782514176 bytes free)
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(3)12
Device Manager Version 7.6(1)
Compiled on Thu 20-Oct-16 17:58 PDT by builders
System image file is "disk0:/asa943-12-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 1 hour
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x363bee4d 0xcc858b80 0xe5d21db4 0xf1d49abc 0xcb04cdef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:29:41.579 UTC Fri Jun 9 2017
I've used one of the ASA ports and configured a point-to-point IP address with a TFTP server.
ciscoasa# show run interface g0/1
!
interface GigabitEthernet0/1
description ### LAN ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ciscoasa# ping 192.168.1.2 // PING TO TFTP SERVER/PC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
I've deleted the Cisco AnyConnect version 2.5 package files on the ASA's flash since these aren't compatible with the 9.4.3 ASA code and consumes memory space.
ciscoasa# delete disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg
Delete filename [anyconnect-macosx-i386-2.5.2014-k9.pkg]?
Delete disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg? [confirm]
ciscoasa# delete disk0:/anyconnect-linux-2.5.2014-k9.pkg
Delete filename [anyconnect-linux-2.5.2014-k9.pkg]?
Delete disk0:/anyconnect-linux-2.5.2014-k9.pkg? [confirm]
ciscoasa# delete disk0:/anyconnect-win-2.5.2014-k9.pkg
Delete filename [anyconnect-win-2.5.2014-k9.pkg]?
Delete disk0:/anyconnect-win-2.5.2014-k9.pkg? [confirm]
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
8238202880 bytes total (4800376832 bytes free)
I TFTP'd the Cisco AnyConnect version 3.1 packages since they are compatible with the 9.4.3 ASA code.
ciscoasa# copy tftp://192.169 8.1.2/anyconnect-win-3.1.14018-k9.pkg disk0:
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-win-3.1.14018-k9.pkg]?
Destination filename [anyconnect-win-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-win-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.14018-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# copy tftp://192.168.1.2/anyconnect-macosx-i386-3.1.14018-k9.pkg disk0:
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-macosx-i386-3.1.14018-k9.pkg]?
Destination filename [anyconnect-macosx-i386-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-macosx-i386-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# copy tftp://192.168.1.2/anyconnect-linux-3.1.14018-k9.pkg disk0:
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-linux-3.1.14018-k9.pkg]?
Destination filename [anyconnect-linux-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-linux-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# copy tftp://192.168.1.2/anyconnect-linux-64-3.1.14018-k9.pkg
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-linux-64-3.1.14018-k9.pkg]?
Destination filename [anyconnect-linux-64-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-linux-64-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-linux-64-3.1.14018-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
137 -rwx 39032347 21:24:34 Jun 12 2017 anyconnect-win-3.1.14018-k9.pkg
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
138 -rwx 12895117 21:25:20 Jun 12 2017 anyconnect-macosx-i386-3.1.14018-k9.pkg
139 -rwx 12346898 21:26:06 Jun 12 2017 anyconnect-linux-3.1.14018-k9.pkg
140 -rwx 13115642 21:26:55 Jun 12 2017 anyconnect-linux-64-3.1.14018-k9.pkg
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
8238202880 bytes total (4722974720 bytes free)
You can verify the current number of AnyConnect VPN users supported on the ASA using the show version.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(3)12
Device Manager Version 7.6(1)
Compiled on Thu 20-Oct-16 17:58 PDT by builders
System image file is "disk0:/asa943-12-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 22 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x363bee4d 0xcc858b80 0xe5d21db4 0xf1d49abc 0xcb04cdef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:29:41.579 UTC Fri Jun 9 2017
I used the AnyConnect license L-AC-APXM-S-3-5K to enable more AnyConnect VPN users (750 max users for ASA 5525-X) and activated the license via Cisco Licensing Portal. You use the ASA serial number on the show version output and use the activation-key <LICENSE KEY> global config command.
ciscoasa# configure terminal
ciscoasa(config)# activation-key ?
exec mode commands/options:
<0x0-0xffffffff> Enter four-or-five-tuple activation-key
noconfirm Do not prompt for confirmation
ciscoasa(config)# activation-key 572bfd4a b4f6583f 5d4005dc cd308123 ca20c456
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.4(3)12
Device Manager Version 7.6(1)
Compiled on Thu 20-Oct-16 17:58 PDT by builders
System image file is "disk0:/asa943-12-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 22 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x572bfd4a 0xb4f6583f 0x5d4005dc 0xcd308123 0xca20c456
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:29:41.579 UTC Fri Jun 9 2017
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
129 -rwx 6487517 19:51:44 Sep 29 2014 anyconnect-macosx-i386-2.5.2014-k9.pkg
130 -rwx 6689498 19:51:44 Sep 29 2014 anyconnect-linux-2.5.2014-k9.pkg
131 -rwx 4678691 19:51:44 Sep 29 2014 anyconnect-win-2.5.2014-k9.pkg
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
8238202880 bytes total (4782514176 bytes free)
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(3)12
Device Manager Version 7.6(1)
Compiled on Thu 20-Oct-16 17:58 PDT by builders
System image file is "disk0:/asa943-12-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 1 hour
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x363bee4d 0xcc858b80 0xe5d21db4 0xf1d49abc 0xcb04cdef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:29:41.579 UTC Fri Jun 9 2017
I've used one of the ASA ports and configured a point-to-point IP address with a TFTP server.
ciscoasa# show run interface g0/1
!
interface GigabitEthernet0/1
description ### LAN ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ciscoasa# ping 192.168.1.2 // PING TO TFTP SERVER/PC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
I've deleted the Cisco AnyConnect version 2.5 package files on the ASA's flash since these aren't compatible with the 9.4.3 ASA code and consumes memory space.
ciscoasa# delete disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg
Delete filename [anyconnect-macosx-i386-2.5.2014-k9.pkg]?
Delete disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg? [confirm]
ciscoasa# delete disk0:/anyconnect-linux-2.5.2014-k9.pkg
Delete filename [anyconnect-linux-2.5.2014-k9.pkg]?
Delete disk0:/anyconnect-linux-2.5.2014-k9.pkg? [confirm]
ciscoasa# delete disk0:/anyconnect-win-2.5.2014-k9.pkg
Delete filename [anyconnect-win-2.5.2014-k9.pkg]?
Delete disk0:/anyconnect-win-2.5.2014-k9.pkg? [confirm]
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
8238202880 bytes total (4800376832 bytes free)
I TFTP'd the Cisco AnyConnect version 3.1 packages since they are compatible with the 9.4.3 ASA code.
ciscoasa# copy tftp://192.169 8.1.2/anyconnect-win-3.1.14018-k9.pkg disk0:
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-win-3.1.14018-k9.pkg]?
Destination filename [anyconnect-win-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-win-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.14018-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# copy tftp://192.168.1.2/anyconnect-macosx-i386-3.1.14018-k9.pkg disk0:
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-macosx-i386-3.1.14018-k9.pkg]?
Destination filename [anyconnect-macosx-i386-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-macosx-i386-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# copy tftp://192.168.1.2/anyconnect-linux-3.1.14018-k9.pkg disk0:
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-linux-3.1.14018-k9.pkg]?
Destination filename [anyconnect-linux-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-linux-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# copy tftp://192.168.1.2/anyconnect-linux-64-3.1.14018-k9.pkg
Address or name of remote host [192.168.1.2]?
Source filename [anyconnect-linux-64-3.1.14018-k9.pkg]?
Destination filename [anyconnect-linux-64-3.1.14018-k9.pkg]?
Accessing tftp://192.168.1.2/anyconnect-linux-64-3.1.14018-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-linux-64-3.1.14018-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ciscoasa# dir
Directory of disk0:/
11 drwx 4096 19:16:16 Sep 29 2014 log
22 drwx 4096 19:16:44 Sep 29 2014 crypto_archive
23 drwx 4096 19:16:52 Sep 29 2014 coredumpinfo
123 -rwx 37656576 19:25:02 Sep 29 2014 asa913-smp-k8.bin
124 -rwx 22658960 19:27:04 Sep 29 2014 asdm-714.bin
125 -rwx 73285632 00:38:08 Jun 06 2017 asa943-12-smp-k8.bin
137 -rwx 39032347 21:24:34 Jun 12 2017 anyconnect-win-3.1.14018-k9.pkg
126 -rwx 25819140 00:42:58 Jun 06 2017 asdm-761.bin
127 -rwx 12998641 19:51:42 Sep 29 2014 csd_3.5.2008-k9.pkg
128 drwx 4096 19:51:44 Sep 29 2014 sdesktop
138 -rwx 12895117 21:25:20 Jun 12 2017 anyconnect-macosx-i386-3.1.14018-k9.pkg
139 -rwx 12346898 21:26:06 Jun 12 2017 anyconnect-linux-3.1.14018-k9.pkg
140 -rwx 13115642 21:26:55 Jun 12 2017 anyconnect-linux-64-3.1.14018-k9.pkg
132 -rwx 100 22:45:26 Jun 05 2017 upgrade_startup_errors_201706052245.log
133 -rwx 41848832 18:55:08 Jun 08 2017 asasfr-5500x-boot-6.0.0-1005.img
8238202880 bytes total (4722974720 bytes free)
You can verify the current number of AnyConnect VPN users supported on the ASA using the show version.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.4(3)12
Device Manager Version 7.6(1)
Compiled on Thu 20-Oct-16 17:58 PDT by builders
System image file is "disk0:/asa943-12-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 22 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x363bee4d 0xcc858b80 0xe5d21db4 0xf1d49abc 0xcb04cdef
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:29:41.579 UTC Fri Jun 9 2017
I used the AnyConnect license L-AC-APXM-S-3-5K to enable more AnyConnect VPN users (750 max users for ASA 5525-X) and activated the license via Cisco Licensing Portal. You use the ASA serial number on the show version output and use the activation-key <LICENSE KEY> global config command.
ciscoasa# configure terminal
ciscoasa(config)# activation-key ?
exec mode commands/options:
<0x0-0xffffffff> Enter four-or-five-tuple activation-key
noconfirm Do not prompt for confirmation
ciscoasa(config)# activation-key 572bfd4a b4f6583f 5d4005dc cd308123 ca20c456
Validating activation key. This may take a few minutes...
Both Running and Flash permanent activation key was updated with the requested key.
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.4(3)12
Device Manager Version 7.6(1)
Compiled on Thu 20-Oct-16 17:58 PDT by builders
System image file is "disk0:/asa943-12-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 3 days 22 hours
Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
0: Int: Internal-Data0/0 : address is fc5b.39aa.5164, irq 11
1: Ext: GigabitEthernet0/0 : address is fc5b.39aa.5169, irq 5
2: Ext: GigabitEthernet0/1 : address is fc5b.39aa.5165, irq 5
3: Ext: GigabitEthernet0/2 : address is fc5b.39aa.516a, irq 10
4: Ext: GigabitEthernet0/3 : address is fc5b.39aa.5166, irq 10
5: Ext: GigabitEthernet0/4 : address is fc5b.39aa.516b, irq 5
6: Ext: GigabitEthernet0/5 : address is fc5b.39aa.5167, irq 5
7: Ext: GigabitEthernet0/6 : address is fc5b.39aa.516c, irq 10
8: Ext: GigabitEthernet0/7 : address is fc5b.39aa.5168, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is fc5b.39aa.5164, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5525 VPN Premium license.
Serial Number: FCH1834JABC
Running Permanent Activation Key: 0x572bfd4a 0xb4f6583f 0x5d4005dc 0xcd308123 0xca20c456
Configuration register is 0x1
Image type : Release
Key version : A
Configuration last modified by enable_15 at 04:29:41.579 UTC Fri Jun 9 2017
No comments:
Post a Comment