Skip to main content

 

Cisco Meraki Documentation

AnyConnect on ASA vs. MX

AnyConnect Specific Features

AnyConnect is more than just a VPN client. It is a fully-fledged end-point mobility client solution. However, unlike the AnyConnect implementation on the ASA or FirePOWER with support for multiple features like Host scan, Web launch, etc, the MX security appliance supports SSL Core VPN and other AnyConnect modules that do not require additional configuration on the MX. For more details see the table below. As AnyConnect progresses into public beta, we will continue to implement other AnyConnect features that align closely with our customer's needs.

The AnyConnect Advantage (formerly Plus license) is the base license. The Premier (formerly Apex license) includes all Advantage (formerly Plus) features in addition to Premier (formerly Apex license) Only features.

AnyConnect configuration guide

AnyConnect Core VPN Client

Core Features

Feature

Minimum ASA/ASDM Release

Meraki MX
wired 16.2+

Minimum License Required

Windows

Mac

Linux

SSL (TLS & DTLS), including per-app VPN

ASA 8.0(4)

ASDM 6.3(1)

Yes, TLS/DTLS.
No, per-app VPN

Advantage (formerly Plus)

Yes

Yes

Yes

TLS compression

ASA 8.0(4)

ASDM 6.3(1)

No

Advantage (formerly Plus)

Yes

Yes

Yes

DTLS fallback to TLS

ASA 8.4.2.8

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

IPsec/IKEv2

ASA 8.4(1)

ASDM 6.4(1)

No

Advantage (formerly Plus)

Yes

Yes

Yes

Split tunneling

ASA 8.0(x)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Dynamic split tunneling

ASA 9.0

Yes

Plus, Apex, or VPN-only

Yes

Yes

No

Enhanced dynamic split tunneling

ASA 9.0

No

Plus, Apex, or VPN-only

Yes

Yes

No

Split DNS

ASA 8.0(4)

ASDM 6.3(1)

No

Plus or Apex

Yes

Yes

No

Ignore browser proxy

ASA 8.3(1)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

Yes

No

Proxy auto config (PAC) file generation

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

No

No

Internet Explorer connections tab lockdown

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

No

No

Optimal gateway selection

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

Yes

No

Local LAN access

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Tethered device access via client firewall rules, for synchronization

ASA 8.3(1)

ASDM 6.3(1)

No

Advantage (formerly Plus)

Yes

Yes

Yes

Local printer access via client firewall rules

ASA 8.3(1)

ASDM 6.3(1)

No

Advantage (formerly Plus)

Yes

Yes

Yes

IPv6

ASA 9.0

ASDM 7.0

No

Advantage (formerly Plus)

Yes

Yes

No

Further IPv6 implementation

ASA 9.7.1

ASDM 7.7.1

No

Advantage (formerly Plus)

Yes

Yes

Yes

Certificate pinning

No dependency

Yes, in profile

Plus, Apex, or VPN-only

Yes

Yes

Yes

Management VPN tunnel

ASA 9.0

ASDM 7.10.1

No

Premier (formerly Apex)

Yes

No

No


AnyConnect Deployment and Configuration

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

Deferred upgrades

ASA 9.0

ASDM 7.0

No

Advantage (formerly Plus)

Yes

Yes

Yes

Windows services lockdown

ASA 8.0(4)

ASDM 6.4(1)

N/A

Advantage (formerly Plus)

Yes

No

No

Update policy, software, and profile lock

ASA 8.0(4)

ASDM 6.4(1)

Yes, in profile

Advantage (formerly Plus)

Yes

Yes

Yes

Auto-update

ASA 8.0(4)

ASDM 6.3(1)

No

Advantage (formerly Plus)

Yes

Yes

Yes

Web launch

(32-bit browsers only)

ASA 8.0(4)

ASDM 6.3(1)

No

Advantage (formerly Plus)

Yes

Yes

Yes

Predeployment

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Auto-update client profiles

ASA 8.0(4)

ASDM 6.4(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

AnyConnect profile editor

ASA 8.4(1)

ASDM 6.4(1)

No

Advantage (formerly Plus)

Yes

Yes

Yes

User-controllable features

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

Yes

No


Connect and Disconnect Features

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

Simultaneous clientless & AnyConnect connections

ASA8.0(4)

ASDM 6.3(1)

No

Premier (formerly Apex)

Yes

Yes

Yes

Start before log on (SBL)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

No

No

Run script on connect and disconnect

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Minimize on connect

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Auto connect on start

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Auto reconnect (disconnect on system suspend, reconnect on system resume)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

No

Remote user VPN establishment (permitted or denied)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

No

No

Log-in enforcement (terminate VPN session if another user logs in)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

No

No

Retain VPN session (when user logs off, and then when this or another user logs in)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

No

No

Trusted network detection (TND)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

Yes

Yes

Always-on (VPN must be connected to access network)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

No

Always-on exemption via DAP

ASA 8.3(1)

ASDM 6.3(1)

No

Advantage (formerly Plus)

Yes

Yes

No

Connect failure policy (internet access allowed or disallowed if VPN connection fails)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

No

Captive portal detection

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Captive portal remediation

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Advantage (formerly Plus)

Yes

Yes

No

Enhanced captive portal remediation

No dependency

Yes, in profile Advantage (formerly Plus)

Yes

No

No


Authentication and Encryption Features

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

Certificate-only authentication

ASA 8.0(4)

ASDM 6.3(1)

No




No
 

 

No
 



No



 


Yes

 


No

Advantage (formerly Plus)

Yes

Yes

Yes

RSA SecurID/SoftID integration

Advantage (formerly Plus)

Yes

No

No

Smartcard support

Advantage (formerly Plus)

Yes

Yes

No

SCEP (requires posture module if machine ID is used)

Advantage (formerly Plus)

Yes

Yes

No

List and select certificates

Advantage (formerly Plus)

Yes

No

No

FIPS

Advantage (formerly Plus)

Yes

Yes

Yes

SHA-2 for IPsec IKEv2 (digital signatures, integrity, & PRF)

ASA 8.0(4)

ASDM 6.4(1)


No IKEv2

 


Yes

Advantage (formerly Plus)

Yes

Yes

Yes

Strong encryption (AES-256 & 3des-168)

Advantage (formerly Plus)

Yes

Yes

Yes

NSA suite-B (IPsec only)

ASA 9.0

ASDM 7.0

No

Premier (formerly Apex)

Yes

Yes

Yes

Enable CRL check

n/a

No

Premier (formerly Apex)

Yes

No

No

SAML 2.0 SSO

ASA 9.7.1

ASDM 7.7.1

Yes

Apex or VPN only

Yes

Yes

Yes

Enhanced SAML 2.0

ASA 9.7.1.24

ASA 9.8.2.28

ASA 9.9.2.1

No

Apex or VPN only

Yes

Yes

Yes

Multiple-certificate authentication

ASA 9.7.1

ASDM 7.7.1

No

Plus, Apex, or VPN only

Yes

Yes

Yes


Interfaces

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

GUI

ASA 8.0(4)

ASDM 6.3(1)

Dashboard

 


No

 

Yes




No




No




No



No

Advantage (formerly Plus)

Yes

Yes

Yes

Command line

Yes

Yes

Yes

API

Yes

Yes

Yes

Microsoft component object module (COM)

Yes

No

No

Localization of user messages

Yes

Yes

No

Custom MSI transforms

Yes

No

No

User defined resource files

Yes

Yes

No

Client help

ASA 9.0

ASDM 7.0

Yes

Yes

Yes

Yes


AnyConnect Network Access Manager

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum license Required

Windows

Mac

Linux

Core

ASA 8.4(1)

ASDM 6.4(1)

Yes

Advantage (formerly Plus)

Yes

No

No

Wired support IEEE 802.3

Yes

Wireless support IEEE 802.11

Yes

Pre-log on and single sign-on authentication

Yes

IEEE 802.1X

Yes

IEEE 802.1AE MACsec

Yes

EAP methods

Yes

FIPS 140-2 level 1

Yes

Mobile broadband support

ASA 8.4(1)

ASDM 7.0

Yes

Yes

IPv6

ASA 9.0

ASDM 7.0

No

Yes

NGE and NSA suite-B

Yes

TLS 1.2 for VPN connectivity*

n/a

Yes

 

Yes

No

No

AnyConnect Secure Mobility Modules

HostScan and Posture Assessment

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

Endpoint Assessment

ASA 8.0(4)

ASDM 6.3(1)

No



No



No

Premier (formerly Apex)

Yes

Yes

Yes

Endpoint Remediation

Premier (formerly Apex)

Yes

Yes

Yes

Quarantine

Premier (formerly Apex)

Yes

Yes

Yes

Quarantine status & terminate message

ASA 8.3(1)

ASDM 6.3(1)

No

Premier (formerly Apex)

Yes

Yes

Yes

HostScan package update

ASA 8.4(1)

ASDM 6.4(1)

No



No

Premier (formerly Apex)

Yes

Yes

Yes

Host emulation detection

Premier (formerly Apex)

Yes

No

No

OPSWAT v4

ASA 9.9(1)

ASDM 7.9(1)

No

Premier (formerly Apex)

Yes

Yes

Yes


ISE Posture

Feature

Minimum AnyConnect Release

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

Minimum license Required

Windows

Mac

Linux

Change of authorization (CoA)

4.0

ASA 9.2.1

ASDM 7.2.1

No

2.0

Advantage (formerly Plus)

Yes

Yes

Yes

ISE posture profile editor

4.0

ASA 9.2.1

ASDM 7.2.1

No

n/a

Premier (formerly Apex)

Yes

Yes

Yes

AC identity extensions (ACIDex)

4.0

n/a

No

2.0

Advantage (formerly Plus)

Yes

Yes

Yes

ISE posture module

4.0

n/a

No

2.0

Premier (formerly Apex)

Yes

Yes

No

Detection of USB mass storage devices (v4 only)

4.3

n/a

No

2.1

Premier (formerly Apex)

Yes

No

No

OPSWAT v4

4.3

n/a

No

2.1

Premier (formerly Apex)

Yes

Yes

No

Stealth agent for posture

4.4

n/a

No

2.2

Premier (formerly Apex)

Yes

Yes

No

Continuous end-point monitoring

4.4

n/a

No

2.2

Premier (formerly Apex)

Yes

Yes

No

Next-generation provisioning and discovery

4.4

n/a

No

2.2

Premier (formerly Apex)

Yes

Yes

No

Application kill and uninstall capabilities

4.4

n/a

No

2.2

Premier (formerly Apex)

Yes

Yes

No

Cisco temporal agent

4.5

n/a

No

2.3

ISE Premier (formerly Apex)

Yes

Yes

No

Enhanced SCCM approach

4.5

n/a

No

2.3

Premier (formerly Apex) and ISE Apex

Yes

No

No

Posture policy enhancements for optional mode

4.5

n/a

No

2.3

Premier (formerly Apex) and ISE Apex

Yes

Yes

No

Periodic probe interval in profile editor

4.5

n/a

No

2.3

Premier (formerly Apex) and ISE Apex

Yes

Yes

No

Visibility into hardware inventory

4.5

n/a

No

2.3

Premier (formerly Apex) and ISE Apex

Yes

Yes

No

Grace period for noncompliant devices

4.6

n/a

No

2.4

Premier (formerly Apex) and ISE Apex

Yes

Yes

No

Posture rescan

4.6

n/a

No

2.4

Premier (formerly Apex) and ISE Apex

Yes

Yes

No

AnyConnect stealth mode notifications

4.6

n/a

No

2.4

Premier (formerly Apex) and ISE Apex

Yes

Yes

No

Disabling UAC prompt

4.6

n/a

No

2.4

Premier (formerly Apex) and ISE Apex

Yes

No

No

Enhanced grace period

4.7

n/a

No

2.6

Premier (formerly Apex) and ISE Apex

Yes

Yes

No

Custom notification controls and revamp of remediation windows

4.7

n/a

No

2.6

Premier (formerly Apex) and ISE Apex

Yes

Yes

No


Web Security

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

Core

ASA 8.4(1)

ASDM 6.4(1)

No



No

Advantage (formerly Plus)

Yes

Yes

Yes

No

Cloud-hosted configuration

Secure trusted network detection

ASA 8.4(1)

ASDM 7.0

No






No





No

Dynamic configuration elements

Fail close/fail open policy


AMP Enabler

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

Minimum license Required

Windows

Mac

Linux

AMP enabler

ASDM 7.4.2

ASA 9.4.1

No

ISE 1.4

Advantage (formerly Plus)

Yes

Yes

No


Network Visibility Module

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

Minimum License Required

Windows

Mac

Linux

Network visibility module

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Adjustment to the rate at which data is sent

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Customization of NVM timer

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Broadcast and multicast option for data collection

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Creation of anonymization profiles

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Broader data collection and anonymization with hashing

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Support for Java as a container

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Configuration of cache to customize

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Periodic flow reporting

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Flow filter

n/a

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Premier (formerly Apex)

Yes

Yes

Yes

Stand-alone NVM

n/a

Yes, in special NVM profile. Must be deployed locally.

n/a

Premier (formerly Apex)

Yes

Yes

Yes


Umbrella Roaming Security Module

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

Minimum License Required

Windows

Mac

Linux

Umbrella roaming security module

ASDM 7.6.2

ASA 9.4.1

Yes, in special Umbrella profile. Must be deployed locally.

ISE 2.0

Either Advantage or Premier

Umbrella licensing is mandatory

Yes

Yes

No

Umbrella secure web gateway

n/a

Yes, in special Umbrella profile. Must be deployed locally.

n/a

SIG Essential package from Umbrella

Yes

Yes

No

OpenDNS IPv6 support

n/a

No, IPv6

n/a

n/a

Yes

Yes

No


Reporting and Troubleshooting Modules

Customer Experience Feedback

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

Customer experience feedback

ASA 8.4(1)

ASDM 7.0

Yes

Advantage (formerly Plus)

Yes

Yes

No


Diagnostic and Report Tool (DART)

Log Type

Minimum ASA/ASDM Release

Meraki MX

Minimum License Required

Windows

Mac

Linux

VPN

ASA 8.0(4)

ASDM 6.3(1)

Yes

Advantage or Premier

Yes

Yes

Yes

Network access manager

ASA 8.4(1)

ASDM 6.4(1)

Yes

Yes

No

No

Posture Assessment

Yes

Yes

Yes

Web security

Yes

Yes

No