24th May 2012

You are here: Home / Design / Early death of Cisco VPN Client forces VPN license fees

Early Death of Cisco VPN Client Forces VPN License Fees

30th June 2009 By 34 Comments

Cisco has ceased development on the IPSec VPN client, and shifted to pushing the SSL VPN client for remote VPN access for both IOS and ASA platforms. But that costs up to USD$125 per VPN client. Is that good for customers ? Or are we being shafted to increase revenue ? The Cisco VPN Client that uses IPSec as a dynamic remote access method to IOS, ASA, PIX and C6500 VPN modules is basically dead. From the Cisco Web site:

“The Cisco VPN client supports Windows 2000, XP and Vista (x86/32-bit only); Linux (Intel); Mac OS X 10.4; and Solaris UltraSparc (32 and 64-bit). For x64 (64-bit) Windows support, you must utilize Cisco’s next-generation Cisco AnyConnect VPN Client.” – Link Here

And from the Product Q&A’s

“Cisco VPN Client Version 5 is available for 32-bit Windows Vista. There are no current plans to provide 64-bit support for the Cisco VPN Client but 64-bit support is available for the Cisco AnyConnect VPN Client.”

There doesn’t seem to be any End of Life or End of Support notices, so the current version must still be getting support, but there is no future for it.

You can choose any technology, so long as it is SSL VPN

A quick look at Cisco AnyConnect will confirm that this is an SSL VPN technology only. So this leads me to a few conclusions:

  • Cisco isn’t planning on continuing the Cisco VPN Client
  • Cisco doesn’t like IPSec as a dynamic secure remote access method.
  • You must choose SSL VPN for remote access, because Cisco says so
  • I need to start planning to replace the Cisco VPN client in the next year or two. On several thousand desktops.
  • Which is going to be great
  • and replace it with a technology that isn’t nearly so lovely, simple and well understood
  • This looks like it’s saving Cisco money – they don’t have to develop and maintain two clients
  • But is going to cost us a shedload of cash

Which would be fine, I suppose, if I could find a good reason why changing from IPsec to SSL would be a goodthing(gm).

What’s good about SSL VPN then ?

I was reading through some notes from Networkers and made the following list:

  • SSL VPN’s have three modes – clientless, thin client and full client.
  • Clientless VPN’s allow you to create a portal, which you can customise.
  • allow for application translation – e.g. show CIFS Drive Shares appear in a web page (for clientless mode)
  • For thin client mode, you can deliver Java plugins that let you access certain services such as Citrix, ssh, telnet, RDP without having the client programs on your PC
  • Thick client acts the same as IPSec VPN client, but can be installed (initiated) from the web browser (sort of)
  • The SSL VPN client is NOT FREE (not so good)
cisco-ssl-vpn-client-1.jpg

Did I mention that the SSL VPN Client option is not FREE….

So the IPSec VPN, which most of us are very happy with and used to, is free for an unlimited amount of users. But the replacement requires a license for every user past two.

And you will be forced to upgrade since the VPN Client doesn’t work on modern systems ((not straightaway, one day Microsoft will get a version of the Windows to replace Windows XP)).

Yeah, I’ve got the same feeling as you.

I am going to pay for SSL VPN technology that Cisco is forcing you to move towards.

They have chosen to do that. Now that is customer focussed.

How much ?

Here are the USD list prices for the SSL licenses:

IOS SSL VPN Licences

FL-WEBVPN-10-K9 Feature License IOS SSL VPN Up To 10 Users (Incremental) $300
FL-WEBVPN-25-K9 Feature License IOS SSL VPN Up To 25 Users (Incremental) $750
FL-WEBVPN-100-K9 Feature License IOS SSL VPN Up To 100 Users (Incremental) $3,000

ASA SSL VPN Licences

ASA5500-SSL-10 ASA 5500 SSL VPN 10 Premium User License $1,250
ASA5500-SSL-25 ASA 5500 SSL VPN 25 Premium User License $3,095
ASA5500-SSL-50 ASA 5500 SSL VPN 50 Premium User License $3,995
ASA5500-SSL-100 ASA 5500 SSL VPN 100 Premium User License $7,995
ASA5500-SSL-250 ASA 5500 SSL VPN 250 Premium User License $19,995
ASA5500-SSL-500 ASA 5500 SSL VPN 500 Premium User License $29,995
ASA-SSL-10-25= ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License $1,895
ASA-SSL-25-50= ASA 5500 SSL VPN 25 to 50 Premium User Upgrade License $1,995
ASA-SSL-50-100= ASA 5500 SSL VPN 50 to 100 Premium User Upgrade License $3,995

Rule of Thumb

So an IOS SSL VPN connection is going to cost about USD$30 per concurrent connection.
An ASA SSL VPN is going to cost USD$125 per concurrent connection.

OUCH!

Remember that a lot of companies use VPNs as a DR feature and that is the peak load condition when say, 40% of users might connect from home. This means that SSL VPN licenses are not good value for money since they are only used in exceptional circumstances.

Where’s the WIN then

To be frank, I’m not sure. For most people, choosing IPSec is the default choice. Its simple, well known, easy to do and doesn’t cost anything.

SSL VPN is a bewildering array for policies for inheritance and self configuration. It has all the features of the IPSec client for AAA and maintenace, plus some fancy clientless modes. But it costs quite a bit.

Lack of Competition

The IPSec VPN client was made free when all the firewall vendors had VPN capability. But the current lack of competition in SSL VPNs means that prices aren’t likely to reduce. For example, F5 and Juniper needs volume licensing on their SSL VPN products to make any money at all. CheckPoint always charges for for everything until they lose market share. So there isn’t much motivation for Cisco to remove volume licensing on SSL.

And by discontinuing the IPSec VPN Client you are being forced to pay the license fee.

So Help Me out….

Is there any features or special powers that the SSL VPN has that I can pitch to justify the migration ? Is there some justification that SSL has inherent magical powers or is this a cynical revenue grab ?

Sound off in the comments. I’d love to find out.

This post is copyright of Thropos Ltd ©2008-2011 at Etherealmind.com - contact | email: greg.ferro@packetpushers.net - twitter: @etherealmind | All rights reserved
Filed Under: Design, Featured Tagged With: ,
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • Jason

    MS ships an ipsec client in everything since Win2k, will this not work with Cisco hardware? I haven’t touched it in years but remember it only being a mild pain to get working with Linux IPSec servers.

    • http://etherealmind.com Greg Ferro

      The Windows client doesn’t support split tunneling, routing or have any debugging features. It also doesn’t have much integration with desktop security products. I can’t imagine that Microsoft made it any better.

  • http://www.apeman.org/ apeman

    I’ve been playing with SSL VPN’s for a while now as I have a lot of customers with Windows Vista x64 clients, and they have been saying since 2006ish that they have no plans to support x64 bit windows systems using the IPSec client, of course at the time IOS did not support Anyconnect, and Anyconnect did not yet support vista x64!

    I have many users who have been using the IPSec client, and are going to be very upset when they find out that they have to pay for each user going forward!

    Cisco’s made my life harder as I often pitch VPN as a DR access method, now I have to come up with another solution.

    I think this is the start of lots of licensing on IOS platforms, we are going to see more gouging of loyal customers going forward from the 800lb network gorilla.

  • Mick

    The IPSec Client is a solid product from Cisco, we’ve been sitting on 4.8.02 for a number of years – no plan to change bar a movement to 5.x if at some stage Windows 7 becomes part of our SOE.

    Interesting to note the (from memory) that the built-in MS Windows IPSec Client is Cisco licenced – re-call problems with Zone Alarm and the Cisco.dll’s that MS uses.

    The SSL client isn’t bad, anyconnect was a huge improvement, it does have it’s advantages, yet also some major disadvantages – cost being one. We primarily use SSL vpn as a backup to IPSec VPN.

    Perhaps a key part of the issue is Cisco need to be able to virtualise their VPN capabilities to keep up with the market, easier with SSL? Whatever the case I don’t see this as a wise move, although with the they already have killed off PPTP support. Is Cisco getting too big for it’s own shoes?

  • Ben

    I agree that killing off the IPSec client is a mistake, but I wanted to add that for DR purposes there is a ICE (In Case of Emergency) licensing option that allows you to burst licenses for short periods instead of having to have them permanently.

  • http://www.firstdigest.com Calin

    This is another decision which is taken by the idea “we are big, popular and we can afford to force people into some expensive technology”. I agree that at one point is time for a change in the product line, but why the new one has to be so expensive?

  • Pingback: pfSense Digest » Blog Archive » Cisco killing off IPsec VPN Client, forcing even more licensing fees

  • Pingback: Cisco VPN klientas tuötins pinigines - xawiers.esu.as

  • John

    The licensing of ssl vpn client has changed with Cisco 8.2 release, there is now 2 types of SSL VPN client and the one being license is the one that does posture assesment. So you can still have the same as ipsec fonctionnality with Cisco AnyConnect Essentials…

  • Robert

    It seems like your article here has information several months old, and the fact you don’t understand the new client shows. It’s better in almost every way.

    One of the reasons Cisco is doing away with its traditional IPSEC client is because it’s long in the tooth. It was developed by Altiga over 10 years ago and you can only do so much with that code. Also, IPSEC was never designed to be a user VPN solution, which is why *any* vendor’s XAUTH mechanism (phase 1.5 if you will) is pretty much a hack. Of course, if anyone has to deal with multiple VPN clients, it’s a pain because of where IPSEC is inserted into the stack. It’s pretty much a ring-0/kernel driver, and competing IPSEC clients don’t play well with others for that same reason. That’s also why it’s difficult to keep up with 64-bit Windows since Microsoft has much stricter rules for driver development. Could they have done it? Yes, but that was the last straw that made it easier to develop a new client. I don’t know why anyone is upset that they are dumping a 10 year old technology for something better. Should we all still be running Windows 98 and PPTP too?

    The new AnyConnect client is based on OpenVPN and can run on most major platforms, including 64-bit. This is much easier to develop since it runs in user space and will no longer conflict with any other VPN client. Juniper also has an SSL-based VPN client and other vendors are going this way – don’t just blame Cisco. One of the benefits of this client is you can have multiple VPN’s coming from the same box under different users, like from a MS Terminal server, and they will work fine! The routes and encryption are processed in user space, not at the system level, so this is possible. (That’s my favorite “cool” new feature). I heard that Cisco will be adding IPSEC back to this client in the future, for those who want to use it, although I don’t know why. The SSL based protocols like DTLS work so much better without having to deal with IPSEC/NAT hacks.

    Anyway….. licensing. The “old” AnyConnect licensing (old meaning just last month) is now called AnyConnect Premium and does indeed cost an arm-and-a-leg. Most people do not need this as it includes both the web based SSL and AnyConnect VPN client, shared licenses between ASA’s and other things. The basic AnyConnect VPN client is now the AnyConnect Essentials license, and it’s one license PER ASA BOX, for a nominal fee. It ain’t much. This is much more inline with other vendors now. This is new as of firmware 8.2.

    • Johan

      We are currently using a free, third-part IPSec client (www.shrew.net) for our 64-bit and Windows 7 systems, so as long as the support stays in the ASA software, we can continue to use IPSec without any major problems. But we do not have thousands of users.

      • Mark

        I’ve been working on shrew.net for quite a few years now. Even helped with the development for Sidewinder and the linux client.

        Great stuff and easy to work with.

    • Rob

      Hmm…

      “The new AnyConnect client is based on OpenVPN and can run on most major platforms, including 64-bit.”

      Thanks for confirming our decision to save a ‘shedload’ and just use openvpn. I don’t think anyone is saying the new client isn’t better, just that it is a big step to go from free to $60+ a user.

    • Timur

      I found this piece interesting and wonder if the author has configured SSL VPN or if his conclusions are just a response ot the literature. The Essentials license costs a one time fee of 150 per box and there are other interesting licensing capabilities that have been introduced with the Premium version including flex and shared licenses.

      For this section:
      “I need to start planning to replace the Cisco VPN client in the next year or two. On several thousand desktops. Which is going to be great and replace it with a technology that isnít nearly so lovely, simple and well understood”

      I think one of the benefits to the ASA SSL VPN solution is that it is a no touch deployment. Your enduser opens a web page and logs in. If their connection profile requires use of the SSL VPN client then it get installed the first time and can be stored locally to get launched the next from the startup menu or by accessing the portal again.

      Depending on what you need to do you can make secure authenticated access for your end users a no brainer, but if you just want to extend your network to your end users machines the Essentials license can do everything you do today without needing a VPN profile configured for each site that needs to be added to each IPSec VPN installation.

      Every client that I demo the SSL VPN solution to buys into it, and some have rolled out deployments in excess of 1K users whithout having to touch each machine and only talk to a handful of users that had issues that would need to have be addressed with the IPSec VPN solution also.

      Thanks for presenting a forum for discussing this new technology.

      -t

      • http://etherealmind.com Greg Ferro

        At time of writing, I wasn’t aware of the Essentials license. That said, it’s still a ripoff to have to pay for VPN when it was free before.

        I find the no client SSL VPN to be worthless. It only suits certain specific software, its painful to configure and even worse to train staff so they know how to support it. Using ACS to set the parameters is a complete nightmare.

        IPSec is simple to use, has limited choices which makes it easy to support. It used very widely and worth keeping.

  • Pingback: Forcing IPSec or SSL on a Market is Wrong « VPN Haus

  • Joe Magno

    The Cisco AnyConnect client is far superior to the crappy IPSec client. From my testing on Vista the client is faster when running DTLS than the IPSec one. The new essenstials license makes this a no brainer.

    • http://etherealmind.com Greg Ferro

      You are correct that the AnyConnect client is a complete rewrite. My question is why doesn’t Cisco rewrite the IPSec client ? Why force us to use SSL only by stopping the IPSec client ?

      I want choice or, at least, an explanation. Why should we not use IPSec when it has worked so well for the last five years ?

  • Andrew

    You do have a choice: Pay cisco for the SSL upgrade (if your device supports it), or pay for a new client…

    http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html

    • http://etherealmind.com Greg Ferro

      Not much of a choice is it. Why pay for it when I had it for free before ?

      (Yes, I know the answer is: Because the competition is charging for it, so can we. It’s a rhetorical question.)

  • MiDiMaN

    I just tried this free Shrew IPsec VPN client, it works well in vista x64 and win 7 RC x64. I was also able to import a cisco .pcf directly into shrew. Just select the pcf file and import.

    http://www.shrew.net/software

    Shrew has supports for windows, linux and BSD

    There is no need to buy NCP VPN client or TheGreenBow VPN client.

    • http://etherealmind.com Greg Ferro

      Thankyou. Confirmation wis good to know. I can use this in my own networks knowing that other people have tested it.

  • http://vpnhaus.wordpress.com VPN Haus

    Reading from the top (article first, then all the comments), the problem here is not one or two disgruntled IPSec users being abandoned by Cisco that can use a free-ware client …. this is a painful enterprise issue now.

    YES, there is cause for both IPSec and SSL to coexist. For IPSec use, you need central policy control / management / NAC ëpatdownsí over ALL clients, including 64-bit VPN clients. With Cisco out of the picture, the market is free for focused and mature providers to step in, like Andrew mentioned, NCP is the one I am familiar with. More info here:

    http://vpnhaus.wordpress.com/

  • BTX

    You are really assuming a lot that Cisco is not going to support IPSec in Anyconnect in the near future. A bigger font doesn’t make your assumption any more true.

    IPSec support in Anyconnect has not been needed when there has been a perfectly functional IPSec client available. IPSec isn’t just going to disappear and Cisco engineers and TME’s aren’t stupid. *cough*

  • http://www.cisco.com Cisco VPN Client Support

    First off, if you check out CDW for AnyConnect licenses, you will notice that a 25 concurrent user connection license is $69.99 and the 10,000 concurrent user connection license is $333.99. Not quite $125 per user. :)

    But on a more important note, not all is lost for the IPSec client, we have posted a BETA Cisco VPN Client “IPSec” for Windows 7, Version 5.0.06.0100 can now be gotten from cisco.com.

    If you have any problems, email cvc-beta(at)cisco(dot)com and let us know.

  • Matt

    Can you name another company other than cisco who gives away (Yes FREE) a vpn client and then provides 24 x 7 techincal support?

    So since when does it make sense for a company to sink all that money into developing a client that not only are they not getting paid to develop but also losing even more money in the support of the client that they keep doing development work on?

  • http://www.xorail.com Johnrojas1

    Cisco ANYConnect Essentials VPN Client is not the same as Cisco SSL VPN Premium, it is an IPSEC / SSL client that costs less. We implemented it a few week ago and it cost less than $200 for up to 250 users.
    The following link explains the differences: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html

  • ForcedToOtherVendor

    We may be a corner-case in the marketing strategy, but we support a hundred different customers over inexpensive 8xx series devices (couple different models.) We also have other VPN’s for support and access but the customer support network is the primary problem with the effective end-of-life of the Cisco VPN Client.

    What has not been mentioned in this dialogue to this point is that the router performance capabilities using the Cisco VPN Client can be a factor of 5 . The 871 will support 10 VPN tunnels. It will support only 2 SSL VPN tunnels. The 1800 supports 50 IPsec or 25 SSL. The relationship carries through the entire product line.

    We have a fully-functional, multi-point VPN architecture deployed and in use by well over 1000 support staff. How could how incurring the costs of design, licensing, hardware, deployment, support and maintenance be justified?

    To make the situation worse, Cisco has not been open with their plans despite two years of asking about 64 bit windows support in the existing VPN client. Our parent company already wanted us to dump the Cisco solution. Unfortunately, I’m out of good answers as to why we should not just do so. Cisco had gotten pretty good about sufficient end-of-life announcements. They really blew this one though.

    The irony is that Cisco had one of the most flexible IPSEC implementations available but they apparently are going to abandon it to become a 3rd rate SSL VPN vendor.

    See: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72.html

  • Pingback: Cisco releases BETA IPSec VPN Client for Windows 7 | My Etherealmind

  • tirta

    So is there any alternative beside using the cisco vpn anyconnect ? Just wondering since cisco vpn anyconnect is based on openvpn, so can openvpn be used to connect ?

  • James

    Yes Cisco is gouging the customer again. The only reason the IPSec client was free was they wanted to become the Security leader. The Altiga client wasn’t the best client but for Free it was pretty damn good. I also never had any problem getting it to work with anyone elses IPSec server.
    NetScreen(Now Juniper) charged $2.00 per IPSec Client to recoupe the cost of developement and support. Cisco was making so much margin it could aford to give it away, again their goal was to lock up the enterprise security market. Their Security products are still not the best on the market but they have such a base, and have been pushing the 1 vendor solution that no one is going to get fired for buying Cisco (Unless you’re old enought to remember IBM networking).
    Since things have been getting tight at Cisco they are only making 65% margin on everything they sell now as compared to 70% when they gave the IPSec client away free.

  • Weaver

    Understand the difference between AnyConnect Essentials and AnyConnect Premium!

    Johnrojas1 hinted at it in the link he provides above.

    The “2 AnyConnect licenses” that come with ASA’s and particular IOS routers are full AnyConnect Premium licenses. AnyConnect Premium is more than simply “SSL VPN” –> Premium enables clientless SSL VPN, Secure Desktop, Host Scan. In AnyConnect SMC 3.0 Network Access Manager is included in Premium and Essentials.

    To move beyond the included 2 AnyConnect Premium licenses the one has to purchase additional AnyConnect Premium licenses — which are no doubt pricey if you are used to free or included.

    However, there is another option and that is to move to the AnyConnect Essentials licensing mode. AnyConnect Essentials is removes the bells and whistles of Premium. Essentials is a single SKU purchase (of less than $200 for both the 5505 and 5510 platforms) that takes your ASA to the platform maximum (25 and 250 respectively) of available AnyConnect Essentials licenses.

    When you enable AnyConnect Essentials, all Premium licensing is removed — including the 2 “included” Premium licenses. AnyConnect Essentials and AnyConnect Premium are mutually exclusive. Only one can be active on the ASA at a time.

    The question is now between Essentials and Premium.

    -Weaver

  • Anonymous

    I’m shifting from Cisco IOS routers to Fortigate UTMs. They have free “unlimited” SSL VPN user licenses and a very nice GUI in addition to a much better built-in packet sniffer. The GUI of Fortigate actually works – unlike Cisco’s CCP/SDM which craps out on so many configuration options and in general just cannot build the configurations I need it to (for example a combo of VRF+VPNs+BGP+Firewall rules). … and of course the Fortigates in a similar price range as Cisco IOS routers has easily 10x performance compared to Cisco.

  • Pingback: Internets of Interest:30 Dec 2011 — My Etherealmind