AnyConnect on ASA vs MX

Last updated
Save as PDF

AnyConnect specific features

AnyConnect is more than just a VPN client. It is fully fledged endpoint mobility client solution. However, unlike the AnyConnect implementation on the ASA/FirePower, with support for multiple features like host scan, web launch, etc, the MX Security Appliance supports SSL VPN and other AnyConnect modules that do not require additional configuration on the MX. For more details see the table below. As AnyConnect progresses into public Beta, we will continue to implement other AnyConnect features that align closely to our customers needs.

AnyConnect Configuration guide

AnyConnect Core VPN Client

Core Features

Feature	Minimum ASA/ASDM Release	Meraki MX wired 16.2+	License Required	Windows	Mac	Linux
SSL (TLS & DTLS), including Per App VPN	ASA 8.0(4) ASDM 6.3(1)	Yes, TLS/DTLS. No, per app requires custom apps.	Plus	yes	yes	yes
TLS Compression	ASA 8.0(4) ASDM 6.3(1)	No.	Plus	yes	yes	yes
DTLS fallback to TLS	ASA 8.4.2.8 ASDM 6.3(1)	Yes	Plus	yes	yes	yes
IPsec/IKEv2	ASA 8.4(1) ASDM 6.4(1)	No	Plus	yes	yes	yes
Split tunneling	ASA 8.0(x) ASDM 6.3(1)	Yes	Plus	yes	yes	yes
Dynamic Split Tunneling	ASA 9.0	No, requires custom attributes Will be available soon.	Plus, Apex, or VPN-only	yes	yes	no
Enhanced Dynamic Split Tunneling	ASA 9.0	No, requires custom attributes Will be available soon.	Plus, Apex, or VPN-only	yes	yes	no
Split DNS	ASA 8.0(4) ASDM 6.3(1)	No	Plus	yes	yes	no
Ignore Browser Proxy	ASA 8.3(1) ASDM 6.3(1)	Yes, in profile	Plus	yes	yes	no
Proxy Auto Config (PAC) file generation	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	yes	no	no
Internet Explorer Connections tab lockdown	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	yes	no	no
Optimal Gateway Selection	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	yes	yes	no
Global Site Selector (GSS) compatibility	ASA 8.0(4) ASDM 6.4(1)	Yes	Plus	yes	yes	yes
Local LAN Access	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	yes
Tethered device access via client firewall rules, for synchronization	ASA 8.3(1) ASDM 6.3(1)	No	Plus	yes	yes	yes
Local printer access via client firewall rules	ASA 8.3(1) ASDM 6.3(1)	No	Plus	yes	yes	yes
IPv6	ASA 9.0 ASDM 7.0	No	Plus	yes	yes	no
Further IPv6 implementation	ASA 9.7.1 ASDM 7.7.1	No	Plus	yes	yes	yes
Certificate Pinning	no dependency	Yes, in profile	Plus, Apex, or VPN-only	yes	yes	yes
Management VPN tunnel	ASA 9.0 ASDM 7.10.1	No	Apex	yes	no	no

AnyConnect Deployment and Configuration

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Deferred Upgrades	ASA 9.0 ASDM 7.0	No, requires custom attributes Will be available soon.	Plus	yes	yes	yes
Windows Services Lockdown	ASA 8.0(4) ASDM 6.4(1)	N/A	Plus	yes	no	no
Update Policy, Software and Profile Lock	ASA 8.0(4) ASDM 6.4(1)	Yes, Profile update.	Plus	yes	yes	yes
Auto Update	ASA 8.0(4) ASDM 6.3(1)	No	Plus	yes	yes	yes
Web Launch (32 bit browsers only)	ASA 8.0(4) ASDM 6.3(1)	No	Plus	yes	yes	yes
Pre-deployment	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	yes
Auto Update Client Profiles	ASA 8.0(4) ASDM 6.4(1)	Yes	Plus	yes	yes	yes
AnyConnect Profile Editor	ASA 8.4(1) ASDM 6.4(1)	No	Plus	yes	yes	yes
User Controllable Features	ASA 8.0(4) ASDM 6.3(1)	Client side only, some controlled by profile	Plus	yes	yes	no

Connect and Disconnect Features

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Simultaneous Clientless & AnyConnect connections	ASA8.0(4) ASDM 6.3(1)	No	Apex	yes	yes	yes
Start Before Logon (SBL)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	no	no
Run script on connect & disconnect	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	yes
Minimize on connect	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	yes
Auto connect on start	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	yes
Auto reconnect (disconnect on system suspend, reconnect on system resume)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	no
Remote User VPN Establishment (permitted or denied)	ASA 8.0(4) ASDM 6.3(1)	Yes, profile option	Plus	yes	no	no
Logon Enforcement (terminate VPN session if another user logs in)	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	yes	no	no
Retain VPN session (when user logs off, and then when this or another user logs in)	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	yes	no	no
Trusted Network Detection (TND)	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	yes	yes	yes
Always on (VPN must be connected to access network)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	no
Always on exemption via DAP	ASA 8.3(1) ASDM 6.3(1)	No	Plus	yes	yes	no
Connect Failure Policy (Internet access allowed or disallowed if VPN connection fails)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	no
Captive Portal Detection	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	yes	yes	yes
Captive Portal Remediation	ASA 8.0(4) ASDM 6.3(1)	Yes, profile option	Plus	yes	yes	no
Enhanced Captive Portal Remediation	no dependency	Yes, profile option	Plus	yes	no	no

Authentication and Encryption Features

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Certificate only authentication	ASA 8.0(4) ASDM 6.3(1)	No, cert only No, RSA No No Yes No	Plus	yes	yes	yes
RSA SecurID /SoftID integration			Plus	yes	no	no
Smartcard support			Plus	yes	yes	no
SCEP (requires Posture Module if Machine ID is used)			Plus	yes	yes	no
List & select certificates			Plus	yes	no	no
FIPS			Plus	yes	yes	yes
SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF)	ASA 8.0(4) ASDM 6.4(1)	No IKEv2 Yes, but new algorithms	Plus	yes	yes	yes
Strong Encryption (AES-256 & 3des-168)	ASA 8.0(4) ASDM 6.4(1)	No IKEv2 Yes, but new algorithms	Plus	yes	yes	yes
NSA Suite-B (IPsec only)	ASA 9.0 ASDM 7.0	No	Apex	yes	yes	yes
Enable CRL check	n/a	No	Apex	yes	no	no
SAML 2.0 SSO	ASA 9.7.1 ASDM 7.7.1	No	Apex or VPN only	yes	yes	yes
Enhanced SAML 2.0	ASA 9.7.1.24 ASA 9.8.2.28 ASA 9.9.2.1	No	Apex or VPN only	yes	yes	yes
Multiple-certificate authentication	ASA 9.7.1 ASDM 7.7.1	No	Plus, Apex, or VPN only	yes	yes	yes

Interfaces

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
GUI	ASA 8.0(4) ASDM 6.3(1)	Dashboard	Plus	yes	yes	yes
Command Line				yes	yes	yes
API				yes	yes	yes
Microsoft Component Object Module (COM)				yes	no	no
Localization of User Messages				yes	yes	no
Custom MSI transforms				yes	no	no
User defined resource files				yes	yes	no
Client Help	ASA 9.0 ASDM 7.0	Yes		yes	yes	yes

AnyConnect Network Access Manager

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Core	ASA 8.4(1) ASDM 6.4(1)	Yes	Plus	yes	no	no
Wired support IEEE 802.3				yes
Wireless support IEEE 802.11				yes
Pre-logon & Single Sign on Authentication				yes
IEEE 802.1X				yes
IEEE 802.1AE MACsec				yes
EAP methods				yes
FIPS 140-2 Level 1				yes
Mobile Broadband support	ASA 8.4(1) ASDM 7.0	Yes		yes
IPv6	ASA 9.0 ASDM 7.0	No		yes
NGE and NSA Suite-B	ASA 9.0 ASDM 7.0	No		yes
TLS 1.2 for VPN connectivity*	n/a	Yes		yes	no	no

AnyConnect Secure Mobility Modules

HostScan and Posture Assessment

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Endpoint Assessment	ASA 8.0(4) ASDM 6.3(1)	No	Apex	yes	yes	yes
Endpoint Remediation			Apex	yes	yes	yes
Quarantine			Apex	yes	yes	yes
Quarantine status & terminate message	ASA 8.3(1) ASDM 6.3(1)	No	Apex	yes	yes	yes
HostScan Package Update	ASA 8.4(1) ASDM 6.4(1)	No	Apex	yes	yes	yes
Host Emulation Detection	ASA 8.4(1) ASDM 6.4(1)	No	Apex	yes	no	no
OPSWAT v4	ASA 9.9(1) ASDM 7.9(1)	No	Apex	yes	yes	yes

ISE Posture

Feature	Minimum AnyConnect Release	Minimum ASA/ASDM Release	Meraki MX	Minimum ISE Release	License Required	Windows	Mac	Linux
Change of Authorization (CoA)	4.0	ASA 9.2.1 ASDM 7.2.1	No	2.0	Plus	yes	yes	yes
ISE Posture Profile Editor	4.0	ASA 9.2.1 ASDM 7.2.1	No	n/a	Apex	yes	yes	yes
AC Identity Extensions (ACIDex)	4.0	n/a	No	2.0	Plus	yes	yes	yes
ISE Posture Module	4.0	n/a	No	2.0	Apex	yes	yes	no
Detection of USB mass storage devices (v4 only)	4.3	n/a	No	2.1	Apex	yes	no	no
OPSWAT v4	4.3	n/a	No	2.1	Apex	yes	yes	no
Stealth Agent for posture	4.4	n/a	No	2.2	Apex	yes	yes	no
Continuous endpoint monitoring	4.4	n/a	No	2.2	Apex	yes	yes	no
Next-generation provisioning and discovery	4.4	n/a	No	2.2	Apex	yes	yes	no
Application kill and uninstall capabilities	4.4	n/a	No	2.2	Apex	yes	yes	no
Cisco Temporal Agent	4.5	n/a	No	2.3	ISE Apex	yes	yes	no
Enhanced SCCM approach	4.5	n/a	No	2.3	AC Apex and ISE Apex	yes	no	no
Posture policy enhancements for optional mode	4.5	n/a	No	2.3	AC Apex and ISE Apex	yes	yes	no
Periodic probe interval in profile editor	4.5	n/a	No	2.3	AC Apex and ISE Apex	yes	yes	no
Visibility into hardware inventory	4.5	n/a	No	2.3	AC Apex and ISE Apex	yes	yes	no
Grace period for noncompliant devices	4.6	n/a	No	2.4	AC Apex and ISE Apex	yes	yes	no
Posture rescan	4.6	n/a	No	2.4	AC Apex and ISE Apex	yes	yes	no
AnyConnect stealth mode notifications	4.6	n/a	No	2.4	AC Apex and ISE Apex	yes	yes	no
Disabling UAC prompt	4.6	n/a	No	2.4	AC Apex and ISE Apex	yes	no	no
Enhanced grace period	4.7	n/a	No	2.6	AC Apex and ISE Apex	yes	yes	no
Custom notification controls and revamp of remediation windows	4.7	n/a	No	2.6	AC Apex and ISE Apex	yes	yes	no

Web Security

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Core	ASA 8.4(1) ASDM 6.4(1)	No	Plus	Yes Yes	yes	no
Cloud-Hosted Configuration
Secure Trusted Network Detection	ASA 8.4(1) ASDM 7.0	No
Dynamic Configuration Elements
Fail Close / Fail Open Policy

AMP Enabler

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

License Required

Windows

Mac

Linux

AMP enabler

ASDM 7.4.2

ASA 9.4.1

ISE 1.4

Plus

Yes

Network Visibility Module

Feature	Minimum ASA/ASDM Release	Meraki MX	Minimum ISE Release	License Required	Windows	Mac	Linux
Network Visibility Module	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Adjustment to the rate at which data is sent	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Customization of NVM timer	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Broadcast and multicast option for data collection	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Creation of anonymization profiles	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Broader data collection and anonymization with hashing	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Support for Java as a container	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Configuration of cache to customize	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Periodic flow reporting	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Flow filter	n/a	Yes, in special NVM profile. Must be deployed locally	no ISE dependency	Apex	Yes	Yes	Yes
Standalone NVM	n/a	Yes, in special NVM profile. Must be deployed locally	n/a	Apex	Yes	Yes	Yes

Umbrella Roaming Security Module

Feature	Minimum ASA/ASDM Release	Meraki MX	Minimum ISE Release	License Required	Windows	Mac	Linux
Umbrella Roaming Security Module	ASDM 7.6.2 ASA 9.4.1	Yes, in special Umbrella profile. Must be deployed locally	ISE 2.0	Either Plus or Apex Umbrella licensing is mandatory	Yes	Yes	No
Umbrella Secure Web Gateway	n/a	Yes, in special Umbrella profile. Must be deployed locally	n/a	SIG Essential package from Umbrella	Yes	Yes	No
OpenDNS IPv6 support	n/a	No, IPv6	n/a	n/a	Yes	Yes	No

Reporting and Troubleshooting Modules

Customer Experience Feedback