Skip to main content
Cisco Meraki

AnyConnect on ASA vs. MX

AnyConnect Specific Features

AnyConnect is more than just a VPN client. It is a fully-fledged end-point mobility client solution. However, unlike the AnyConnect implementation on the ASA or FirePOWER with support for multiple features like Host scan, Web launch, etc, the MX security appliance supports SSL Core VPN and other AnyConnect modules that do not require additional configuration on the MX. For more details see the table below. As AnyConnect progresses into public beta, we will continue to implement other AnyConnect features that align closely with our customer's needs.

The AnyConnect Plus license is the base license. The Apex license includes all Plus features in addition to Apex Only features.
 

AnyConnect configuration guide

AnyConnect Core VPN Client

Core Features

Feature

Minimum ASA/ASDM Release

Meraki MX
wired 16.2+

License Required

Windows

Mac

Linux

SSL (TLS & DTLS), including per-app VPN

ASA 8.0(4)

ASDM 6.3(1)

Yes, TLS/DTLS.
No, per-app VPN

Plus 

Yes

Yes

Yes

TLS compression

ASA 8.0(4)

ASDM 6.3(1)

No

Plus 

Yes

Yes

Yes

DTLS fallback to TLS

ASA 8.4.2.8

ASDM 6.3(1)

Yes

Plus 

Yes

Yes

Yes

IPsec/IKEv2

ASA 8.4(1)

ASDM 6.4(1)

No

Plus 

Yes

Yes

Yes

Split tunneling

ASA 8.0(x)

ASDM 6.3(1)

Yes

Plus 

Yes

Yes

Yes

Dynamic split tunneling

ASA 9.0

Yes

Plus, Apex, or VPN-only

Yes

Yes

No

Enhanced dynamic split tunneling

ASA 9.0

No

Plus, Apex, or VPN-only

Yes

Yes

No

Split DNS

ASA 8.0(4)

ASDM 6.3(1)

No

Plus or Apex

Yes

Yes

No

Ignore browser proxy

ASA 8.3(1)

ASDM 6.3(1)

Yes, in profile

Plus 

Yes

Yes

No

Proxy auto config (PAC) file generation

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus 

Yes

No

No

Internet Explorer connections tab lockdown

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus 

Yes

No

No

Optimal gateway selection

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus

Yes

Yes

No

Local LAN access

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

Yes

Tethered device access via client firewall rules, for synchronization

ASA 8.3(1)

ASDM 6.3(1)

No

Plus

Yes

Yes

Yes

Local printer access via client firewall rules

ASA 8.3(1)

ASDM 6.3(1)

No

Plus

Yes

Yes

Yes

IPv6

ASA 9.0

ASDM 7.0

No

Plus

Yes

Yes

No

Further IPv6 implementation

ASA 9.7.1

ASDM 7.7.1

No

Plus

Yes

Yes

Yes

Certificate pinning

No dependency

Yes, in profile

Plus, Apex, or VPN-only

Yes

Yes

Yes

Management VPN tunnel

ASA 9.0

ASDM 7.10.1

No

Apex

Yes

No

No


AnyConnect Deployment and Configuration

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Deferred upgrades

ASA 9.0

ASDM 7.0

No

Plus

Yes

Yes

Yes

Windows services lockdown

ASA 8.0(4)

ASDM 6.4(1)

N/A

Plus

Yes

No

No

Update policy, software, and profile lock

ASA 8.0(4)

ASDM 6.4(1)

Yes, in profile

Plus

Yes

Yes

Yes

Auto-update

ASA 8.0(4)

ASDM 6.3(1)

No

Plus

Yes

Yes

Yes

Web launch

(32-bit browsers only)

ASA 8.0(4)

ASDM 6.3(1)

No

Plus

Yes

Yes

Yes

Predeployment

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

Yes

Auto-update client profiles

ASA 8.0(4)

ASDM 6.4(1)

Yes

Plus

Yes

Yes

Yes

AnyConnect profile editor

ASA 8.4(1)

ASDM 6.4(1)

No

Plus

Yes

Yes

Yes

User-controllable features

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus

Yes

Yes

No


Connect and Disconnect Features

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Simultaneous clientless & AnyConnect connections

ASA8.0(4)

ASDM 6.3(1)

No

Apex

Yes

Yes

Yes

Start before log on (SBL)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

No

No

Run script on connect and disconnect

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

Yes

Minimize on connect

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

Yes

Auto connect on start

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

Yes

Auto reconnect (disconnect on system suspend, reconnect on system resume)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

No

Remote user VPN establishment (permitted or denied)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus

Yes

No

No

Log-in enforcement (terminate VPN session if another user logs in)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus

Yes

No

No

Retain VPN session (when user logs off, and then when this or another user logs in)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus

Yes

No

No

Trusted network detection (TND)

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus

Yes

Yes

Yes

Always-on (VPN must be connected to access network)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

No

Always-on exemption via DAP

ASA 8.3(1)

ASDM 6.3(1)

No

Plus

Yes

Yes

No

Connect failure policy (internet access allowed or disallowed if VPN connection fails)

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

No

Captive portal detection

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Yes

Yes

Yes

Captive portal remediation

ASA 8.0(4)

ASDM 6.3(1)

Yes, in profile

Plus

Yes

Yes

No

Enhanced captive portal remediation

No dependency

Yes, in profile

Plus

Yes

No

No


Authentication and Encryption Features

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Certificate-only authentication

ASA 8.0(4)

ASDM 6.3(1)

No




No
 

 

No
 



No



 


Yes

 


No

Plus

Yes

Yes

Yes

RSA SecurID/SoftID integration

Plus

Yes

No

No

Smartcard support

Plus

Yes

Yes

No

SCEP (requires posture module if machine ID is used)

Plus

Yes

Yes

No

List and select certificates

Plus

Yes

No

No

FIPS

Plus

Yes

Yes

Yes

SHA-2 for IPsec IKEv2 (digital signatures, integrity, & PRF)

ASA 8.0(4)

ASDM 6.4(1)


No IKEv2

 


Yes

Plus

Yes

Yes

Yes

Strong encryption (AES-256 & 3des-168)

Plus

Yes

Yes

Yes

NSA suite-B (IPsec only)

ASA 9.0

ASDM 7.0

No

Apex

Yes

Yes

Yes

Enable CRL check

n/a

No

Apex

Yes

No

No

SAML 2.0 SSO

ASA 9.7.1

ASDM 7.7.1

Yes

Apex or VPN only

Yes

Yes

Yes

Enhanced SAML 2.0

ASA 9.7.1.24

ASA 9.8.2.28

ASA 9.9.2.1

No

Apex or VPN only

Yes

Yes

Yes

Multiple-certificate authentication

ASA 9.7.1

ASDM 7.7.1

No

Plus, Apex, or VPN only

Yes

Yes

Yes


Interfaces

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

GUI

ASA 8.0(4)

ASDM 6.3(1)

Dashboard

 


No

 

Yes




No




No




No



No

Plus

Yes

Yes

Yes

Command line

Yes

Yes

Yes

API

Yes

Yes

Yes

Microsoft component object module (COM)

Yes

No

No

Localization of user messages

Yes

Yes

No

Custom MSI transforms

Yes

No

No

User defined resource files

Yes

Yes

No

Client help

ASA 9.0

ASDM 7.0

Yes

Yes

Yes

Yes


AnyConnect Network Access Manager

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Core

ASA 8.4(1)

ASDM 6.4(1)

Yes

Plus

Yes

No

No

Wired support IEEE 802.3

Yes

Wireless support IEEE 802.11

Yes

Pre-log on and single sign-on authentication

Yes

IEEE 802.1X

Yes

IEEE 802.1AE MACsec

Yes

EAP methods

Yes

FIPS 140-2 level 1

Yes

Mobile broadband support

ASA 8.4(1)

ASDM 7.0

Yes

Yes

IPv6

ASA 9.0

ASDM 7.0

No

Yes

NGE and NSA suite-B

Yes

TLS 1.2 for VPN connectivity*

n/a

Yes

 

Yes

No

No

AnyConnect Secure Mobility Modules

HostScan and Posture Assessment

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Endpoint Assessment

ASA 8.0(4)

ASDM 6.3(1)

No



No



No

Apex

Yes

Yes

Yes

Endpoint Remediation

Apex

Yes

Yes

Yes

Quarantine

Apex

Yes

Yes

Yes

Quarantine status & terminate message

ASA 8.3(1)

ASDM 6.3(1)

No

Apex

Yes

Yes

Yes

HostScan package update

ASA 8.4(1)

ASDM 6.4(1)

No



No

Apex

Yes

Yes

Yes

Host emulation detection

Apex

Yes

No

No

OPSWAT v4

ASA 9.9(1)

ASDM 7.9(1)

No

Apex

Yes

Yes

Yes


ISE Posture

Feature

Minimum AnyConnect Release

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

License Required

Windows

Mac

Linux

Change of authorization (CoA)

4.0

ASA 9.2.1

ASDM 7.2.1

No

2.0

Plus

Yes

Yes

Yes

ISE posture profile editor

4.0

ASA 9.2.1

ASDM 7.2.1

No

n/a

Apex

Yes

Yes

Yes

AC identity extensions (ACIDex)

4.0

n/a

No

2.0

Plus

Yes

Yes

Yes

ISE posture module

4.0

n/a

No

2.0

Apex

Yes

Yes

No

Detection of USB mass storage devices (v4 only)

4.3

n/a

No

2.1

Apex

Yes

No

No

OPSWAT v4

4.3

n/a

No

2.1

Apex

Yes

Yes

No

Stealth agent for posture

4.4

n/a

No

2.2

Apex

Yes

Yes

No

Continuous end-point monitoring

4.4

n/a

No

2.2

Apex

Yes

Yes

No

Next-generation provisioning and discovery

4.4

n/a

No

2.2

Apex

Yes

Yes

No

Application kill and uninstall capabilities

4.4

n/a

No

2.2

Apex

Yes

Yes

No

Cisco temporal agent

4.5

n/a

No

2.3

ISE Apex

Yes

Yes

No

Enhanced SCCM approach

4.5

n/a

No

2.3

AC Apex and ISE Apex

Yes

No

No

Posture policy enhancements for optional mode

4.5

n/a

No

2.3

AC Apex and ISE Apex

Yes

Yes

No

Periodic probe interval in profile editor

4.5

n/a

No

2.3

AC Apex and ISE Apex

Yes

Yes

No

Visibility into hardware inventory

4.5

n/a

No

2.3

AC Apex and ISE Apex

Yes

Yes

No

Grace period for noncompliant devices

4.6

n/a

No

2.4

AC Apex and ISE Apex

Yes

Yes

No

Posture rescan

4.6

n/a

No

2.4

AC Apex and ISE Apex

Yes

Yes

No

AnyConnect stealth mode notifications

4.6

n/a

No

2.4

AC Apex and ISE Apex

Yes

Yes

No

Disabling UAC prompt

4.6

n/a

No

2.4

AC Apex and ISE Apex

Yes

No

No

Enhanced grace period

4.7

n/a

No

2.6

AC Apex and ISE Apex

Yes

Yes

No

Custom notification controls and revamp of remediation windows

4.7

n/a

No

2.6

AC Apex and ISE Apex

Yes

Yes

No


Web Security

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Core

ASA 8.4(1)

ASDM 6.4(1)

No



No

Plus

Yes

Yes

Yes

No

Cloud-hosted configuration

Secure trusted network detection

ASA 8.4(1)

ASDM 7.0

No






No





No

Dynamic configuration elements

Fail close/fail open policy


AMP Enabler

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

License Required

Windows

Mac

Linux

AMP enabler

ASDM 7.4.2

ASA 9.4.1

No

ISE 1.4

Plus

Yes

Yes

No


Network Visibility Module

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

License Required

Windows

Mac

Linux

Network visibility module

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Adjustment to the rate at which data is sent

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Customization of NVM timer

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Broadcast and multicast option for data collection

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Creation of anonymization profiles

ASDM 7.5.1

ASA 9.5.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Broader data collection and anonymization with hashing

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Support for Java as a container

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Configuration of cache to customize

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Periodic flow reporting

ASDM 7.7.1

ASA 9.7.1

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Flow filter

n/a

Yes, in special NVM profile. Must be deployed locally.

no ISE dependency

Apex

Yes

Yes

Yes

Stand-alone NVM

n/a

Yes, in special NVM profile. Must be deployed locally.

n/a

Apex

Yes

Yes

Yes


Umbrella Roaming Security Module

Feature

Minimum ASA/ASDM Release

Meraki MX

Minimum ISE Release

License Required

Windows

Mac

Linux

Umbrella roaming security module

ASDM 7.6.2

ASA 9.4.1

Yes, in special Umbrella profile. Must be deployed locally.

ISE 2.0

Either Plus or Apex

Umbrella licensing is mandatory

Yes

Yes

No

Umbrella secure web gateway

n/a

Yes, in special Umbrella profile. Must be deployed locally.

n/a

SIG Essential package from Umbrella

Yes

Yes

No

OpenDNS IPv6 support

n/a

No, IPv6

n/a

n/a

Yes

Yes

No


Reporting and Troubleshooting Modules

Customer Experience Feedback

Feature

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

Customer experience feedback

ASA 8.4(1)

ASDM 7.0

Yes

Plus

Yes

Yes

No


Diagnostic and Report Tool (DART)

Log Type

Minimum ASA/ASDM Release

Meraki MX

License Required

Windows

Mac

Linux

VPN

ASA 8.0(4)

ASDM 6.3(1)

Yes

Plus

Apex

Yes

Yes

Yes

Network access manager

ASA 8.4(1)

ASDM 6.4(1)

Yes

Yes

No

No

Posture Assessment

Yes

Yes

Yes

Web security

Yes

Yes

No

  • Was this article helpful?