AnyConnect on ASA vs. MX

Last updated
Save as PDF

AnyConnect Specific Features

AnyConnect is more than just a VPN client. It is a fully-fledged end-point mobility client solution. However, unlike the AnyConnect implementation on the ASA or FirePOWER with support for multiple features like Host scan, Web launch, etc, the MX security appliance supports SSL Core VPN and other AnyConnect modules that do not require additional configuration on the MX. For more details see the table below. As AnyConnect progresses into public beta, we will continue to implement other AnyConnect features that align closely with our customer's needs.

The AnyConnect Plus license is the base license. The Apex license includes all Plus features in addition to Apex Only features.

AnyConnect configuration guide

AnyConnect Core VPN Client

Core Features

Feature	Minimum ASA/ASDM Release	Meraki MX wired 16.2+	License Required	Windows	Mac	Linux
SSL (TLS & DTLS), including per-app VPN	ASA 8.0(4) ASDM 6.3(1)	Yes, TLS/DTLS. No, per-app VPN	Plus	Yes	Yes	Yes
TLS compression	ASA 8.0(4) ASDM 6.3(1)	No	Plus	Yes	Yes	Yes
DTLS fallback to TLS	ASA 8.4.2.8 ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
IPsec/IKEv2	ASA 8.4(1) ASDM 6.4(1)	No	Plus	Yes	Yes	Yes
Split tunneling	ASA 8.0(x) ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
Dynamic split tunneling	ASA 9.0	Yes	Plus, Apex, or VPN-only	Yes	Yes	No
Enhanced dynamic split tunneling	ASA 9.0	No	Plus, Apex, or VPN-only	Yes	Yes	No
Split DNS	ASA 8.0(4) ASDM 6.3(1)	No	Plus or Apex	Yes	Yes	No
Ignore browser proxy	ASA 8.3(1) ASDM 6.3(1)	Yes, in profile	Plus	Yes	Yes	No
Proxy auto config (PAC) file generation	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	No	No
Internet Explorer connections tab lockdown	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	No	No
Optimal gateway selection	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	Yes	No
Local LAN access	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
Tethered device access via client firewall rules, for synchronization	ASA 8.3(1) ASDM 6.3(1)	No	Plus	Yes	Yes	Yes
Local printer access via client firewall rules	ASA 8.3(1) ASDM 6.3(1)	No	Plus	Yes	Yes	Yes
IPv6	ASA 9.0 ASDM 7.0	No	Plus	Yes	Yes	No
Further IPv6 implementation	ASA 9.7.1 ASDM 7.7.1	No	Plus	Yes	Yes	Yes
Certificate pinning	No dependency	Yes, in profile	Plus, Apex, or VPN-only	Yes	Yes	Yes
Management VPN tunnel	ASA 9.0 ASDM 7.10.1	No	Apex	Yes	No	No

AnyConnect Deployment and Configuration

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Deferred upgrades	ASA 9.0 ASDM 7.0	No	Plus	Yes	Yes	Yes
Windows services lockdown	ASA 8.0(4) ASDM 6.4(1)	N/A	Plus	Yes	No	No
Update policy, software, and profile lock	ASA 8.0(4) ASDM 6.4(1)	Yes, in profile	Plus	Yes	Yes	Yes
Auto-update	ASA 8.0(4) ASDM 6.3(1)	No	Plus	Yes	Yes	Yes
Web launch (32-bit browsers only)	ASA 8.0(4) ASDM 6.3(1)	No	Plus	Yes	Yes	Yes
Predeployment	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
Auto-update client profiles	ASA 8.0(4) ASDM 6.4(1)	Yes	Plus	Yes	Yes	Yes
AnyConnect profile editor	ASA 8.4(1) ASDM 6.4(1)	No	Plus	Yes	Yes	Yes
User-controllable features	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	Yes	No

Connect and Disconnect Features

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Simultaneous clientless & AnyConnect connections	ASA8.0(4) ASDM 6.3(1)	No	Apex	Yes	Yes	Yes
Start before log on (SBL)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	No	No
Run script on connect and disconnect	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
Minimize on connect	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
Auto connect on start	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
Auto reconnect (disconnect on system suspend, reconnect on system resume)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	No
Remote user VPN establishment (permitted or denied)	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	No	No
Log-in enforcement (terminate VPN session if another user logs in)	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	No	No
Retain VPN session (when user logs off, and then when this or another user logs in)	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	No	No
Trusted network detection (TND)	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	Yes	Yes
Always-on (VPN must be connected to access network)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	No
Always-on exemption via DAP	ASA 8.3(1) ASDM 6.3(1)	No	Plus	Yes	Yes	No
Connect failure policy (internet access allowed or disallowed if VPN connection fails)	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	No
Captive portal detection	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus	Yes	Yes	Yes
Captive portal remediation	ASA 8.0(4) ASDM 6.3(1)	Yes, in profile	Plus	Yes	Yes	No
Enhanced captive portal remediation	No dependency	Yes, in profile	Plus	Yes	No	No

Authentication and Encryption Features

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Certificate-only authentication	ASA 8.0(4) ASDM 6.3(1)	No No No No Yes No	Plus	Yes	Yes	Yes
RSA SecurID/SoftID integration			Plus	Yes	No	No
Smartcard support			Plus	Yes	Yes	No
SCEP (requires posture module if machine ID is used)			Plus	Yes	Yes	No
List and select certificates			Plus	Yes	No	No
FIPS			Plus	Yes	Yes	Yes
SHA-2 for IPsec IKEv2 (digital signatures, integrity, & PRF)	ASA 8.0(4) ASDM 6.4(1)	No IKEv2 Yes	Plus	Yes	Yes	Yes
Strong encryption (AES-256 & 3des-168)	ASA 8.0(4) ASDM 6.4(1)	No IKEv2 Yes	Plus	Yes	Yes	Yes
NSA suite-B (IPsec only)	ASA 9.0 ASDM 7.0	No	Apex	Yes	Yes	Yes
Enable CRL check	n/a	No	Apex	Yes	No	No
SAML 2.0 SSO	ASA 9.7.1 ASDM 7.7.1	Yes	Apex or VPN only	Yes	Yes	Yes
Enhanced SAML 2.0	ASA 9.7.1.24 ASA 9.8.2.28 ASA 9.9.2.1	No	Apex or VPN only	Yes	Yes	Yes
Multiple-certificate authentication	ASA 9.7.1 ASDM 7.7.1	No	Plus, Apex, or VPN only	Yes	Yes	Yes

Interfaces

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
GUI	ASA 8.0(4) ASDM 6.3(1)	Dashboard No Yes No No No No	Plus	Yes	Yes	Yes
Command line				Yes	Yes	Yes
API				Yes	Yes	Yes
Microsoft component object module (COM)				Yes	No	No
Localization of user messages				Yes	Yes	No
Custom MSI transforms				Yes	No	No
User defined resource files				Yes	Yes	No
Client help	ASA 9.0 ASDM 7.0	Yes		Yes	Yes	Yes

AnyConnect Network Access Manager

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Core	ASA 8.4(1) ASDM 6.4(1)	Yes	Plus	Yes	No	No
Wired support IEEE 802.3				Yes
Wireless support IEEE 802.11				Yes
Pre-log on and single sign-on authentication				Yes
IEEE 802.1X				Yes
IEEE 802.1AE MACsec				Yes
EAP methods				Yes
FIPS 140-2 level 1				Yes
Mobile broadband support	ASA 8.4(1) ASDM 7.0	Yes		Yes
IPv6	ASA 9.0 ASDM 7.0	No		Yes
NGE and NSA suite-B	ASA 9.0 ASDM 7.0	No		Yes
TLS 1.2 for VPN connectivity*	n/a	Yes		Yes	No	No

AnyConnect Secure Mobility Modules

HostScan and Posture Assessment

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Endpoint Assessment	ASA 8.0(4) ASDM 6.3(1)	No No No	Apex	Yes	Yes	Yes
Endpoint Remediation			Apex	Yes	Yes	Yes
Quarantine			Apex	Yes	Yes	Yes
Quarantine status & terminate message	ASA 8.3(1) ASDM 6.3(1)	No	Apex	Yes	Yes	Yes
HostScan package update	ASA 8.4(1) ASDM 6.4(1)	No No	Apex	Yes	Yes	Yes
Host emulation detection	ASA 8.4(1) ASDM 6.4(1)	No No	Apex	Yes	No	No
OPSWAT v4	ASA 9.9(1) ASDM 7.9(1)	No	Apex	Yes	Yes	Yes

ISE Posture

Feature	Minimum AnyConnect Release	Minimum ASA/ASDM Release	Meraki MX	Minimum ISE Release	License Required	Windows	Mac	Linux
Change of authorization (CoA)	4.0	ASA 9.2.1 ASDM 7.2.1	No	2.0	Plus	Yes	Yes	Yes
ISE posture profile editor	4.0	ASA 9.2.1 ASDM 7.2.1	No	n/a	Apex	Yes	Yes	Yes
AC identity extensions (ACIDex)	4.0	n/a	No	2.0	Plus	Yes	Yes	Yes
ISE posture module	4.0	n/a	No	2.0	Apex	Yes	Yes	No
Detection of USB mass storage devices (v4 only)	4.3	n/a	No	2.1	Apex	Yes	No	No
OPSWAT v4	4.3	n/a	No	2.1	Apex	Yes	Yes	No
Stealth agent for posture	4.4	n/a	No	2.2	Apex	Yes	Yes	No
Continuous end-point monitoring	4.4	n/a	No	2.2	Apex	Yes	Yes	No
Next-generation provisioning and discovery	4.4	n/a	No	2.2	Apex	Yes	Yes	No
Application kill and uninstall capabilities	4.4	n/a	No	2.2	Apex	Yes	Yes	No
Cisco temporal agent	4.5	n/a	No	2.3	ISE Apex	Yes	Yes	No
Enhanced SCCM approach	4.5	n/a	No	2.3	AC Apex and ISE Apex	Yes	No	No
Posture policy enhancements for optional mode	4.5	n/a	No	2.3	AC Apex and ISE Apex	Yes	Yes	No
Periodic probe interval in profile editor	4.5	n/a	No	2.3	AC Apex and ISE Apex	Yes	Yes	No
Visibility into hardware inventory	4.5	n/a	No	2.3	AC Apex and ISE Apex	Yes	Yes	No
Grace period for noncompliant devices	4.6	n/a	No	2.4	AC Apex and ISE Apex	Yes	Yes	No
Posture rescan	4.6	n/a	No	2.4	AC Apex and ISE Apex	Yes	Yes	No
AnyConnect stealth mode notifications	4.6	n/a	No	2.4	AC Apex and ISE Apex	Yes	Yes	No
Disabling UAC prompt	4.6	n/a	No	2.4	AC Apex and ISE Apex	Yes	No	No
Enhanced grace period	4.7	n/a	No	2.6	AC Apex and ISE Apex	Yes	Yes	No
Custom notification controls and revamp of remediation windows	4.7	n/a	No	2.6	AC Apex and ISE Apex	Yes	Yes	No

Web Security

Feature	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
Core	ASA 8.4(1) ASDM 6.4(1)	No No	Plus	Yes Yes	Yes	No
Cloud-hosted configuration
Secure trusted network detection	ASA 8.4(1) ASDM 7.0	No No No
Dynamic configuration elements
Fail close/fail open policy

AMP Enabler

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

License Required

Windows

Mac

Linux

AMP enabler

ASDM 7.4.2

ASA 9.4.1

ISE 1.4

Plus

Yes

Network Visibility Module

Feature	Minimum ASA/ASDM Release	Meraki MX	Minimum ISE Release	License Required	Windows	Mac	Linux
Network visibility module	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Adjustment to the rate at which data is sent	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Customization of NVM timer	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Broadcast and multicast option for data collection	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Creation of anonymization profiles	ASDM 7.5.1 ASA 9.5.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Broader data collection and anonymization with hashing	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Support for Java as a container	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Configuration of cache to customize	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Periodic flow reporting	ASDM 7.7.1 ASA 9.7.1	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Flow filter	n/a	Yes, in special NVM profile. Must be deployed locally.	no ISE dependency	Apex	Yes	Yes	Yes
Stand-alone NVM	n/a	Yes, in special NVM profile. Must be deployed locally.	n/a	Apex	Yes	Yes	Yes

Umbrella Roaming Security Module

Feature	Minimum ASA/ASDM Release	Meraki MX	Minimum ISE Release	License Required	Windows	Mac	Linux
Umbrella roaming security module	ASDM 7.6.2 ASA 9.4.1	Yes, in special Umbrella profile. Must be deployed locally.	ISE 2.0	Either Plus or Apex Umbrella licensing is mandatory	Yes	Yes	No
Umbrella secure web gateway	n/a	Yes, in special Umbrella profile. Must be deployed locally.	n/a	SIG Essential package from Umbrella	Yes	Yes	No
OpenDNS IPv6 support	n/a	No, IPv6	n/a	n/a	Yes	Yes	No

Reporting and Troubleshooting Modules

Customer Experience Feedback

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Customer experience feedback

ASA 8.4(1)

ASDM 7.0

Yes

Plus

Yes

Diagnostic and Report Tool (DART)

Log Type	Minimum ASA/ASDM Release	Meraki MX	License Required	Windows	Mac	Linux
VPN	ASA 8.0(4) ASDM 6.3(1)	Yes	Plus Apex	Yes	Yes	Yes
Network access manager	ASA 8.4(1) ASDM 6.4(1)	Yes		Yes	No	No
Posture Assessment				Yes	Yes	Yes
Web security				Yes	Yes	No