Skip to main content
Cisco Meraki

AnyConnect on ASA vs MX

    AnyConnect specific features

    AnyConnect is more than just a VPN client. It is fully fledged endpoint mobility client solution. However, unlike the AnyConnect implementation on the ASA/FirePower, with support for multiple features like host scan, web launch, etc, the MX Security Appliance supports SSL VPN and other AnyConnect modules that do not require additional configuration on the MX. For more details see the table below. As AnyConnect progresses into public Beta, we will continue to implement other AnyConnect features that align closely to our customers needs.
     

    AnyConnect Configuration guide

    AnyConnect Core VPN Client

    Core Features

    Feature

    Minimum ASA/ASDM Release

    Meraki MX
    wired 16.2+

    License Required

    Windows

    Mac

    Linux

    SSL (TLS & DTLS), including Per App VPN

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, TLS/DTLS.
    No, per app requires custom apps.

    Plus

    yes

    yes

    yes

    TLS Compression

    ASA 8.0(4)

    ASDM 6.3(1)

    No.

    Plus

    yes

    yes

    yes

    DTLS fallback to TLS

    ASA 8.4.2.8

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    IPsec/IKEv2

    ASA 8.4(1)

    ASDM 6.4(1)

    No

    Plus

    yes

    yes

    yes

    Split tunneling

    ASA 8.0(x)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    Dynamic Split Tunneling

    ASA 9.0

    No, requires custom attributes

    Will be available soon.

    Plus, Apex, or VPN-only

    yes

    yes

    no

    Enhanced Dynamic Split Tunneling

    ASA 9.0

    No, requires custom attributes

    Will be available soon.

    Plus, Apex, or VPN-only

    yes

    yes

    no

    Split DNS

    ASA 8.0(4)

    ASDM 6.3(1)

    No

    Plus

    yes

    yes

    no

    Ignore Browser Proxy

    ASA 8.3(1)

    ASDM 6.3(1)

    Yes, in profile

    Plus

    yes

    yes

    no

    Proxy Auto Config (PAC) file generation

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, in profile

    Plus

    yes

    no

    no

    Internet Explorer Connections tab lockdown

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, in profile

    Plus

    yes

    no

    no

    Optimal Gateway Selection

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, in profile

    Plus

    yes

    yes

    no

    Global Site Selector (GSS) compatibility

    ASA 8.0(4)

    ASDM 6.4(1)

    Yes

    Plus

    yes

    yes

    yes

    Local LAN Access

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    Tethered device access via client firewall rules, for synchronization

    ASA 8.3(1)

    ASDM 6.3(1)

    No

    Plus

    yes

    yes

    yes

    Local printer access via client firewall rules

    ASA 8.3(1)

    ASDM 6.3(1)

    No

    Plus

    yes

    yes

    yes

    IPv6

    ASA 9.0

    ASDM 7.0

    No

    Plus

    yes

    yes

    no

    Further IPv6 implementation

    ASA 9.7.1

    ASDM 7.7.1

    No

    Plus

    yes

    yes

    yes

    Certificate Pinning

    no dependency

    Yes, in profile

    Plus, Apex, or VPN-only

    yes

    yes

    yes

    Management VPN tunnel

    ASA 9.0

    ASDM 7.10.1

    No

    Apex

    yes

    no

    no


    AnyConnect Deployment and Configuration

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    Deferred Upgrades

    ASA 9.0

    ASDM 7.0

    No, requires custom attributes

    Will be available soon.

    Plus

    yes

    yes

    yes

    Windows Services Lockdown

    ASA 8.0(4)

    ASDM 6.4(1)

    N/A

    Plus

    yes

    no

    no

    Update Policy, Software and Profile Lock

    ASA 8.0(4)

    ASDM 6.4(1)

    Yes, Profile update.

    Plus

    yes

    yes

    yes

    Auto Update

    ASA 8.0(4)

    ASDM 6.3(1)

    No

    Plus

    yes

    yes

    yes

    Web Launch

    (32 bit browsers only)

    ASA 8.0(4)

    ASDM 6.3(1)

    No

    Plus

    yes

    yes

    yes

    Pre-deployment

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    Auto Update Client Profiles

    ASA 8.0(4)

    ASDM 6.4(1)

    Yes

    Plus

    yes

    yes

    yes

    AnyConnect Profile Editor

    ASA 8.4(1)

    ASDM 6.4(1)

    No

    Plus

    yes

    yes

    yes

    User Controllable Features

    ASA 8.0(4)

    ASDM 6.3(1)

    Client side only, some controlled by profile

    Plus

    yes

    yes

    no


    Connect and Disconnect Features

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    Simultaneous Clientless & AnyConnect connections

    ASA8.0(4)

    ASDM 6.3(1)

    No

    Apex

    yes

    yes

    yes

    Start Before Logon (SBL)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    no

    no

    Run script on connect & disconnect

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    Minimize on connect

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    Auto connect on start

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    Auto reconnect (disconnect on system suspend, reconnect on system resume)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    no

    Remote User VPN Establishment (permitted or denied)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, profile option

    Plus

    yes

    no

    no

    Logon Enforcement (terminate VPN session if another user logs in)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, in profile

    Plus

    yes

    no

    no

    Retain VPN session (when user logs off, and then when this or another user logs in)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, in profile

    Plus

    yes

    no

    no

    Trusted Network Detection (TND)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, in profile

    Plus

    yes

    yes

    yes

    Always on (VPN must be connected to access network)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    no

    Always on exemption via DAP

    ASA 8.3(1)

    ASDM 6.3(1)

    No

    Plus

    yes

    yes

    no

    Connect Failure Policy (Internet access allowed or disallowed if VPN connection fails)

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    no

    Captive Portal Detection

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    yes

    yes

    yes

    Captive Portal Remediation

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes, profile option

    Plus

    yes

    yes

    no

    Enhanced Captive Portal Remediation

    no dependency

    Yes, profile option

    Plus

    yes

    no

    no


    Authentication and Encryption Features

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    Certificate only authentication

    ASA 8.0(4)

    ASDM 6.3(1)

    No, cert only




    No, RSA
     

     


    No
     



    No




    Yes

     

    No

    Plus

    yes

    yes

    yes

    RSA SecurID /SoftID integration

    Plus

    yes

    no

    no

    Smartcard support

    Plus

    yes

    yes

    no

    SCEP (requires Posture Module if Machine ID is used)

    Plus

    yes

    yes

    no

    List & select certificates

    Plus

    yes

    no

    no

    FIPS

    Plus

    yes

    yes

    yes

    SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF)

    ASA 8.0(4)

    ASDM 6.4(1)


    No IKEv2

     


    Yes, but new algorithms

    Plus

    yes

    yes

    yes

    Strong Encryption (AES-256 & 3des-168)

    Plus

    yes

    yes

    yes

    NSA Suite-B (IPsec only)

    ASA 9.0

    ASDM 7.0

    No

    Apex

    yes

    yes

    yes

    Enable CRL check

    n/a

    No

    Apex

    yes

    no

    no

    SAML 2.0 SSO

    ASA 9.7.1

    ASDM 7.7.1

    No

    Apex or VPN only

    yes

    yes

    yes

    Enhanced SAML 2.0

    ASA 9.7.1.24

    ASA 9.8.2.28

    ASA 9.9.2.1

    No

    Apex or VPN only

    yes

    yes

    yes

    Multiple-certificate authentication

    ASA 9.7.1

    ASDM 7.7.1

    No

    Plus, Apex, or VPN only

    yes

    yes

    yes


    Interfaces

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    GUI

    ASA 8.0(4)

    ASDM 6.3(1)

    Dashboard

    Plus

    yes

    yes

    yes

    Command Line

    yes

    yes

    yes

    API

    yes

    yes

    yes

    Microsoft Component Object Module (COM)

    yes

    no

    no

    Localization of User Messages

    yes

    yes

    no

    Custom MSI transforms

    yes

    no

    no

    User defined resource files

    yes

    yes

    no

    Client Help

    ASA 9.0

    ASDM 7.0

    Yes

    yes

    yes

    yes


    AnyConnect Network Access Manager

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    Core

    ASA 8.4(1)

    ASDM 6.4(1)

    Yes

    Plus

    yes

    no

    no

    Wired support IEEE 802.3

    yes

    Wireless support IEEE 802.11

    yes

    Pre-logon & Single Sign on Authentication

    yes

    IEEE 802.1X

    yes

    IEEE 802.1AE MACsec

    yes

    EAP methods

    yes

    FIPS 140-2 Level 1

    yes

    Mobile Broadband support

    ASA 8.4(1)

    ASDM 7.0

    Yes

    yes

    IPv6

    ASA 9.0

    ASDM 7.0

    No

    yes

    NGE and NSA Suite-B

    yes

    TLS 1.2 for VPN connectivity*

    n/a

    Yes

     

    yes

    no

    no

    AnyConnect Secure Mobility Modules

    HostScan and Posture Assessment

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    Endpoint Assessment

    ASA 8.0(4)

    ASDM 6.3(1)

    No

    Apex

    yes

    yes

    yes

    Endpoint Remediation

    Apex

    yes

    yes

    yes

    Quarantine

    Apex

    yes

    yes

    yes

    Quarantine status & terminate message

    ASA 8.3(1)

    ASDM 6.3(1)

    No

    Apex

    yes

    yes

    yes

    HostScan Package Update

    ASA 8.4(1)

    ASDM 6.4(1)

    No

    Apex

    yes

    yes

    yes

    Host Emulation Detection

    Apex

    yes

    no

    no

    OPSWAT v4

    ASA 9.9(1)

    ASDM 7.9(1)

    No

    Apex

    yes

    yes

    yes


    ISE Posture

    Feature

    Minimum AnyConnect Release

    Minimum ASA/ASDM Release

    Meraki MX

    Minimum ISE Release

    License Required

    Windows

    Mac

    Linux

    Change of Authorization (CoA)

    4.0

    ASA 9.2.1

    ASDM 7.2.1

    No

    2.0

    Plus

    yes

    yes

    yes

    ISE Posture Profile Editor

    4.0

    ASA 9.2.1

    ASDM 7.2.1

    No

    n/a

    Apex

    yes

    yes

    yes

    AC Identity Extensions (ACIDex)

    4.0

    n/a

    No

    2.0

    Plus

    yes

    yes

    yes

    ISE Posture Module

    4.0

    n/a

    No

    2.0

    Apex

    yes

    yes

    no

    Detection of USB mass storage devices (v4 only)

    4.3

    n/a

    No

    2.1

    Apex

    yes

    no

    no

    OPSWAT v4

    4.3

    n/a

    No

    2.1

    Apex

    yes

    yes

    no

    Stealth Agent for posture

    4.4

    n/a

    No

    2.2

    Apex

    yes

    yes

    no

    Continuous endpoint monitoring

    4.4

    n/a

    No

    2.2

    Apex

    yes

    yes

    no

    Next-generation provisioning and discovery

    4.4

    n/a

    No

    2.2

    Apex

    yes

    yes

    no

    Application kill and uninstall capabilities

    4.4

    n/a

    No

    2.2

    Apex

    yes

    yes

    no

    Cisco Temporal Agent

    4.5

    n/a

    No

    2.3

    ISE Apex

    yes

    yes

    no

    Enhanced SCCM approach

    4.5

    n/a

    No

    2.3

    AC Apex and ISE Apex

    yes

    no

    no

    Posture policy enhancements for optional mode

    4.5

    n/a

    No

    2.3

    AC Apex and ISE Apex

    yes

    yes

    no

    Periodic probe interval in profile editor

    4.5

    n/a

    No

    2.3

    AC Apex and ISE Apex

    yes

    yes

    no

    Visibility into hardware inventory

    4.5

    n/a

    No

    2.3

    AC Apex and ISE Apex

    yes

    yes

    no

    Grace period for noncompliant devices

    4.6

    n/a

    No

    2.4

    AC Apex and ISE Apex

    yes

    yes

    no

    Posture rescan

    4.6

    n/a

    No

    2.4

    AC Apex and ISE Apex

    yes

    yes

    no

    AnyConnect stealth mode notifications

    4.6

    n/a

    No

    2.4

    AC Apex and ISE Apex

    yes

    yes

    no

    Disabling UAC prompt

    4.6

    n/a

    No

    2.4

    AC Apex and ISE Apex

    yes

    no

    no

    Enhanced grace period

    4.7

    n/a

    No

    2.6

    AC Apex and ISE Apex

    yes

    yes

    no

    Custom notification controls and revamp of remediation windows

    4.7

    n/a

    No

    2.6

    AC Apex and ISE Apex

    yes

    yes

    no


    Web Security

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    Core

    ASA 8.4(1)

    ASDM 6.4(1)

    No

    Plus

    Yes

    Yes

    yes

    no

    Cloud-Hosted Configuration

    Secure Trusted Network Detection

    ASA 8.4(1)

    ASDM 7.0

    No

    Dynamic Configuration Elements

    Fail Close / Fail Open Policy


    AMP Enabler

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    Minimum ISE Release

    License Required

    Windows

    Mac

    Linux

    AMP enabler

    ASDM 7.4.2

    ASA 9.4.1

    No

    ISE 1.4

    Plus

    Yes

    Yes

    No


    Network Visibility Module

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    Minimum ISE Release

    License Required

    Windows

    Mac

    Linux

    Network Visibility Module

    ASDM 7.5.1

    ASA 9.5.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Adjustment to the rate at which data is sent

    ASDM 7.5.1

    ASA 9.5.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Customization of NVM timer

    ASDM 7.5.1

    ASA 9.5.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Broadcast and multicast option for data collection

    ASDM 7.5.1

    ASA 9.5.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Creation of anonymization profiles

    ASDM 7.5.1

    ASA 9.5.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Broader data collection and anonymization with hashing

    ASDM 7.7.1

    ASA 9.7.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Support for Java as a container

    ASDM 7.7.1

    ASA 9.7.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Configuration of cache to customize

    ASDM 7.7.1

    ASA 9.7.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Periodic flow reporting

    ASDM 7.7.1

    ASA 9.7.1

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Flow filter

    n/a

    Yes, in special NVM profile. Must be deployed locally

    no ISE dependency

    Apex

    Yes

    Yes

    Yes

    Standalone NVM

    n/a

    Yes, in special NVM profile. Must be deployed locally

    n/a

    Apex

    Yes

    Yes

    Yes


    Umbrella Roaming Security Module

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    Minimum ISE Release

    License Required

    Windows

    Mac

    Linux

    Umbrella Roaming Security Module

    ASDM 7.6.2

    ASA 9.4.1

    Yes, in special Umbrella profile. Must be deployed locally

    ISE 2.0

    Either Plus or Apex

    Umbrella licensing is mandatory

    Yes

    Yes

    No

    Umbrella Secure Web Gateway

    n/a

    Yes, in special Umbrella profile. Must be deployed locally

    n/a

    SIG Essential package from Umbrella

    Yes

    Yes

    No

    OpenDNS IPv6 support

    n/a

    No, IPv6

    n/a

    n/a

    Yes

    Yes

    No


    Reporting and Troubleshooting Modules

    Customer Experience Feedback

    Feature

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    Customer Experience Feedback

    ASA 8.4(1)

    ASDM 7.0

    Yes

    Plus

    yes

    yes

    no


    Diagnostic and Report Tool (DART)

    Log Type

    Minimum ASA/ASDM Release

    Meraki MX

    License Required

    Windows

    Mac

    Linux

    VPN

    ASA 8.0(4)

    ASDM 6.3(1)

    Yes

    Plus

    Apex

    yes

    yes

    yes

    Network Access Manager

    ASA 8.4(1)

    ASDM 6.4(1)

    Yes

    yes

    no

    no

    Posture Assessment

    yes

    yes

    yes

    Web Security

    yes

    yes

    no

    • Was this article helpful?