AnyConnect on ASA vs MX
AnyConnect specific features
AnyConnect is more than just a VPN client. It is fully fledged endpoint mobility client solution. However, unlike the AnyConnect implementation on the ASA/FirePower, with support for multiple features like host scan, web launch, etc, the MX Security Appliance supports SSL VPN and other AnyConnect modules that do not require additional configuration on the MX. For more details see the table below. As AnyConnect progresses into public Beta, we will continue to implement other AnyConnect features that align closely to our customers needs.
AnyConnect Configuration guide
AnyConnect Core VPN Client
Core Features
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
SSL (TLS & DTLS), including Per App VPN |
ASA 8.0(4) ASDM 6.3(1) |
Yes, TLS/DTLS. |
Plus |
yes |
yes |
yes |
TLS Compression |
ASA 8.0(4) ASDM 6.3(1) |
No. |
Plus |
yes |
yes |
yes |
DTLS fallback to TLS |
ASA 8.4.2.8 ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
IPsec/IKEv2 |
ASA 8.4(1) ASDM 6.4(1) |
No |
Plus |
yes |
yes |
yes |
Split tunneling |
ASA 8.0(x) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
Dynamic Split Tunneling |
ASA 9.0 |
No, requires custom attributes Will be available soon. |
Plus, Apex, or VPN-only |
yes |
yes |
no |
Enhanced Dynamic Split Tunneling |
ASA 9.0 |
No, requires custom attributes Will be available soon. |
Plus, Apex, or VPN-only |
yes |
yes |
no |
Split DNS |
ASA 8.0(4) ASDM 6.3(1) |
No |
Plus |
yes |
yes |
no |
Ignore Browser Proxy |
ASA 8.3(1) ASDM 6.3(1) |
Yes, in profile |
Plus |
yes |
yes |
no |
Proxy Auto Config (PAC) file generation |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
yes |
no |
no |
Internet Explorer Connections tab lockdown |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
yes |
no |
no |
Optimal Gateway Selection |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
yes |
yes |
no |
Global Site Selector (GSS) compatibility |
ASA 8.0(4) ASDM 6.4(1) |
Yes |
Plus |
yes |
yes |
yes |
Local LAN Access |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
Tethered device access via client firewall rules, for synchronization |
ASA 8.3(1) ASDM 6.3(1) |
No |
Plus |
yes |
yes |
yes |
Local printer access via client firewall rules |
ASA 8.3(1) ASDM 6.3(1) |
No |
Plus |
yes |
yes |
yes |
IPv6 |
ASA 9.0 ASDM 7.0 |
No |
Plus |
yes |
yes |
no |
Further IPv6 implementation |
ASA 9.7.1 ASDM 7.7.1 |
No |
Plus |
yes |
yes |
yes |
Certificate Pinning |
no dependency |
Yes, in profile |
Plus, Apex, or VPN-only |
yes |
yes |
yes |
Management VPN tunnel |
ASA 9.0 ASDM 7.10.1 |
No |
Apex |
yes |
no |
no |
AnyConnect Deployment and Configuration
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Deferred Upgrades |
ASA 9.0 ASDM 7.0 |
No, requires custom attributes Will be available soon. |
Plus |
yes |
yes |
yes |
Windows Services Lockdown |
ASA 8.0(4) ASDM 6.4(1) |
N/A |
Plus |
yes |
no |
no |
Update Policy, Software and Profile Lock |
ASA 8.0(4) ASDM 6.4(1) |
Yes, Profile update. |
Plus |
yes |
yes |
yes |
Auto Update |
ASA 8.0(4) ASDM 6.3(1) |
No |
Plus |
yes |
yes |
yes |
Web Launch (32 bit browsers only) |
ASA 8.0(4) ASDM 6.3(1) |
No |
Plus |
yes |
yes |
yes |
Pre-deployment |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
Auto Update Client Profiles |
ASA 8.0(4) ASDM 6.4(1) |
Yes |
Plus |
yes |
yes |
yes |
AnyConnect Profile Editor |
ASA 8.4(1) ASDM 6.4(1) |
No |
Plus |
yes |
yes |
yes |
User Controllable Features |
ASA 8.0(4) ASDM 6.3(1) |
Client side only, some controlled by profile |
Plus |
yes |
yes |
no |
Connect and Disconnect Features
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Simultaneous Clientless & AnyConnect connections |
ASA8.0(4) ASDM 6.3(1) |
No |
Apex |
yes |
yes |
yes |
Start Before Logon (SBL) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
no |
no |
Run script on connect & disconnect |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
Minimize on connect |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
Auto connect on start |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
Auto reconnect (disconnect on system suspend, reconnect on system resume) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
no |
Remote User VPN Establishment (permitted or denied) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, profile option |
Plus |
yes |
no |
no |
Logon Enforcement (terminate VPN session if another user logs in) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
yes |
no |
no |
Retain VPN session (when user logs off, and then when this or another user logs in) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
yes |
no |
no |
Trusted Network Detection (TND) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
yes |
yes |
yes |
Always on (VPN must be connected to access network) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
no |
Always on exemption via DAP |
ASA 8.3(1) ASDM 6.3(1) |
No |
Plus |
yes |
yes |
no |
Connect Failure Policy (Internet access allowed or disallowed if VPN connection fails) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
no |
Captive Portal Detection |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
yes |
yes |
yes |
Captive Portal Remediation |
ASA 8.0(4) ASDM 6.3(1) |
Yes, profile option |
Plus |
yes |
yes |
no |
Enhanced Captive Portal Remediation |
no dependency |
Yes, profile option |
Plus |
yes |
no |
no |
Authentication and Encryption Features
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Certificate only authentication |
ASA 8.0(4) ASDM 6.3(1) |
No, cert only
No |
Plus |
yes |
yes |
yes |
RSA SecurID /SoftID integration |
Plus |
yes |
no |
no |
||
Smartcard support |
Plus |
yes |
yes |
no |
||
SCEP (requires Posture Module if Machine ID is used) |
Plus |
yes |
yes |
no |
||
List & select certificates |
Plus |
yes |
no |
no |
||
FIPS |
Plus |
yes |
yes |
yes |
||
SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF) |
ASA 8.0(4) ASDM 6.4(1) |
|
Plus |
yes |
yes |
yes |
Strong Encryption (AES-256 & 3des-168) |
Plus |
yes |
yes |
yes |
||
NSA Suite-B (IPsec only) |
ASA 9.0 ASDM 7.0 |
No |
Apex |
yes |
yes |
yes |
Enable CRL check |
n/a |
No |
Apex |
yes |
no |
no |
SAML 2.0 SSO |
ASA 9.7.1 ASDM 7.7.1 |
No |
Apex or VPN only |
yes |
yes |
yes |
Enhanced SAML 2.0 |
ASA 9.7.1.24 ASA 9.8.2.28 ASA 9.9.2.1 |
No |
Apex or VPN only |
yes |
yes |
yes |
Multiple-certificate authentication |
ASA 9.7.1 ASDM 7.7.1 |
No |
Plus, Apex, or VPN only |
yes |
yes |
yes |
Interfaces
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
GUI |
ASA 8.0(4) ASDM 6.3(1) |
Dashboard |
Plus |
yes |
yes |
yes |
Command Line |
yes |
yes |
yes |
|||
API |
yes |
yes |
yes |
|||
Microsoft Component Object Module (COM) |
yes |
no |
no |
|||
Localization of User Messages |
yes |
yes |
no |
|||
Custom MSI transforms |
yes |
no |
no |
|||
User defined resource files |
yes |
yes |
no |
|||
Client Help |
ASA 9.0 ASDM 7.0 |
Yes |
yes |
yes |
yes |
AnyConnect Network Access Manager
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Core |
ASA 8.4(1) ASDM 6.4(1) |
Yes |
Plus |
yes |
no |
no |
Wired support IEEE 802.3 |
yes |
|||||
Wireless support IEEE 802.11 |
yes |
|||||
Pre-logon & Single Sign on Authentication |
yes |
|||||
IEEE 802.1X |
yes |
|||||
IEEE 802.1AE MACsec |
yes |
|||||
EAP methods |
yes |
|||||
FIPS 140-2 Level 1 |
yes |
|||||
Mobile Broadband support |
ASA 8.4(1) ASDM 7.0 |
Yes |
yes |
|||
IPv6 |
ASA 9.0 ASDM 7.0 |
No |
yes |
|||
NGE and NSA Suite-B |
yes |
|||||
TLS 1.2 for VPN connectivity* |
n/a |
Yes |
|
yes |
no |
no |
AnyConnect Secure Mobility Modules
HostScan and Posture Assessment
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Endpoint Assessment |
ASA 8.0(4) ASDM 6.3(1) |
No |
Apex |
yes |
yes |
yes |
Endpoint Remediation |
Apex |
yes |
yes |
yes |
||
Quarantine |
Apex |
yes |
yes |
yes |
||
Quarantine status & terminate message |
ASA 8.3(1) ASDM 6.3(1) |
No |
Apex |
yes |
yes |
yes |
HostScan Package Update |
ASA 8.4(1) ASDM 6.4(1) |
No |
Apex |
yes |
yes |
yes |
Host Emulation Detection |
Apex |
yes |
no |
no |
||
OPSWAT v4 |
ASA 9.9(1) ASDM 7.9(1) |
No |
Apex |
yes |
yes |
yes |
ISE Posture
Feature |
Minimum AnyConnect Release |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
Change of Authorization (CoA) |
4.0 |
ASA 9.2.1 ASDM 7.2.1 |
No |
2.0 |
Plus |
yes |
yes |
yes |
ISE Posture Profile Editor |
4.0 |
ASA 9.2.1 ASDM 7.2.1 |
No |
n/a |
Apex |
yes |
yes |
yes |
AC Identity Extensions (ACIDex) |
4.0 |
n/a |
No |
2.0 |
Plus |
yes |
yes |
yes |
ISE Posture Module |
4.0 |
n/a |
No |
2.0 |
Apex |
yes |
yes |
no |
Detection of USB mass storage devices (v4 only) |
4.3 |
n/a |
No |
2.1 |
Apex |
yes |
no |
no |
OPSWAT v4 |
4.3 |
n/a |
No |
2.1 |
Apex |
yes |
yes |
no |
Stealth Agent for posture |
4.4 |
n/a |
No |
2.2 |
Apex |
yes |
yes |
no |
Continuous endpoint monitoring |
4.4 |
n/a |
No |
2.2 |
Apex |
yes |
yes |
no |
Next-generation provisioning and discovery |
4.4 |
n/a |
No |
2.2 |
Apex |
yes |
yes |
no |
Application kill and uninstall capabilities |
4.4 |
n/a |
No |
2.2 |
Apex |
yes |
yes |
no |
Cisco Temporal Agent |
4.5 |
n/a |
No |
2.3 |
ISE Apex |
yes |
yes |
no |
Enhanced SCCM approach |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
yes |
no |
no |
Posture policy enhancements for optional mode |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
yes |
yes |
no |
Periodic probe interval in profile editor |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
yes |
yes |
no |
Visibility into hardware inventory |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
yes |
yes |
no |
Grace period for noncompliant devices |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
yes |
yes |
no |
Posture rescan |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
yes |
yes |
no |
AnyConnect stealth mode notifications |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
yes |
yes |
no |
Disabling UAC prompt |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
yes |
no |
no |
Enhanced grace period |
4.7 |
n/a |
No |
2.6 |
AC Apex and ISE Apex |
yes |
yes |
no |
Custom notification controls and revamp of remediation windows |
4.7 |
n/a |
No |
2.6 |
AC Apex and ISE Apex |
yes |
yes |
no |
Web Security
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Core |
ASA 8.4(1) ASDM 6.4(1) |
No |
Plus |
Yes Yes |
yes |
no |
Cloud-Hosted Configuration |
||||||
Secure Trusted Network Detection |
ASA 8.4(1) ASDM 7.0 |
No |
||||
Dynamic Configuration Elements |
||||||
Fail Close / Fail Open Policy |
AMP Enabler
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
AMP enabler |
ASDM 7.4.2 ASA 9.4.1 |
No |
ISE 1.4 |
Plus |
Yes |
Yes |
No |
Network Visibility Module
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
Network Visibility Module |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Adjustment to the rate at which data is sent |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Customization of NVM timer |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Broadcast and multicast option for data collection |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Creation of anonymization profiles |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Broader data collection and anonymization with hashing |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Support for Java as a container |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Configuration of cache to customize |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Periodic flow reporting |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Flow filter |
n/a |
Yes, in special NVM profile. Must be deployed locally |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Standalone NVM |
n/a |
Yes, in special NVM profile. Must be deployed locally |
n/a |
Apex |
Yes |
Yes |
Yes |
Umbrella Roaming Security Module
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
Umbrella Roaming Security Module |
ASDM 7.6.2 ASA 9.4.1 |
Yes, in special Umbrella profile. Must be deployed locally |
ISE 2.0 |
Either Plus or Apex Umbrella licensing is mandatory |
Yes |
Yes |
No |
Umbrella Secure Web Gateway |
n/a |
Yes, in special Umbrella profile. Must be deployed locally |
n/a |
SIG Essential package from Umbrella |
Yes |
Yes |
No |
OpenDNS IPv6 support |
n/a |
No, IPv6 |
n/a |
n/a |
Yes |
Yes |
No |
Reporting and Troubleshooting Modules
Customer Experience Feedback
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Customer Experience Feedback |
ASA 8.4(1) ASDM 7.0 |
Yes |
Plus |
yes |
yes |
no |
Diagnostic and Report Tool (DART)
Log Type |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
VPN |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus Apex |
yes |
yes |
yes |
Network Access Manager |
ASA 8.4(1) ASDM 6.4(1) |
Yes |
yes |
no |
no |
|
Posture Assessment |
yes |
yes |
yes |
|||
Web Security |
yes |
yes |
no |