AnyConnect on ASA vs. MX
AnyConnect Specific Features
AnyConnect is more than just a VPN client. It is a fully-fledged end-point mobility client solution. However, unlike the AnyConnect implementation on the ASA or FirePOWER with support for multiple features like Host scan, Web launch, etc, the MX security appliance supports SSL Core VPN and other AnyConnect modules that do not require additional configuration on the MX. For more details see the table below. As AnyConnect progresses into public beta, we will continue to implement other AnyConnect features that align closely with our customer's needs.
The AnyConnect Plus license is the base license. The Apex license includes all Plus features in addition to Apex Only features.
AnyConnect configuration guide
AnyConnect Core VPN Client
Core Features
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
SSL (TLS & DTLS), including per-app VPN |
ASA 8.0(4) ASDM 6.3(1) |
Yes, TLS/DTLS. |
Plus |
Yes |
Yes |
Yes |
TLS compression |
ASA 8.0(4) ASDM 6.3(1) |
No |
Plus |
Yes |
Yes |
Yes |
DTLS fallback to TLS |
ASA 8.4.2.8 ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
IPsec/IKEv2 |
ASA 8.4(1) ASDM 6.4(1) |
No |
Plus |
Yes |
Yes |
Yes |
Split tunneling |
ASA 8.0(x) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
Dynamic split tunneling |
ASA 9.0 |
Yes |
Plus, Apex, or VPN-only |
Yes |
Yes |
No |
Enhanced dynamic split tunneling |
ASA 9.0 |
No |
Plus, Apex, or VPN-only |
Yes |
Yes |
No |
Split DNS |
ASA 8.0(4) ASDM 6.3(1) |
No |
Plus or Apex |
Yes |
Yes |
No |
Ignore browser proxy |
ASA 8.3(1) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
Yes |
No |
Proxy auto config (PAC) file generation |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
No |
No |
Internet Explorer connections tab lockdown |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
No |
No |
Optimal gateway selection |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
Yes |
No |
Local LAN access |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
Tethered device access via client firewall rules, for synchronization |
ASA 8.3(1) ASDM 6.3(1) |
No |
Plus |
Yes |
Yes |
Yes |
Local printer access via client firewall rules |
ASA 8.3(1) ASDM 6.3(1) |
No |
Plus |
Yes |
Yes |
Yes |
IPv6 |
ASA 9.0 ASDM 7.0 |
No |
Plus |
Yes |
Yes |
No |
Further IPv6 implementation |
ASA 9.7.1 ASDM 7.7.1 |
No |
Plus |
Yes |
Yes |
Yes |
Certificate pinning |
No dependency |
Yes, in profile |
Plus, Apex, or VPN-only |
Yes |
Yes |
Yes |
Management VPN tunnel |
ASA 9.0 ASDM 7.10.1 |
No |
Apex |
Yes |
No |
No |
AnyConnect Deployment and Configuration
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Deferred upgrades |
ASA 9.0 ASDM 7.0 |
No |
Plus |
Yes |
Yes |
Yes |
Windows services lockdown |
ASA 8.0(4) ASDM 6.4(1) |
N/A |
Plus |
Yes |
No |
No |
Update policy, software, and profile lock |
ASA 8.0(4) ASDM 6.4(1) |
Yes, in profile |
Plus |
Yes |
Yes |
Yes |
Auto-update |
ASA 8.0(4) ASDM 6.3(1) |
No |
Plus |
Yes |
Yes |
Yes |
Web launch (32-bit browsers only) |
ASA 8.0(4) ASDM 6.3(1) |
No |
Plus |
Yes |
Yes |
Yes |
Predeployment |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
Auto-update client profiles |
ASA 8.0(4) ASDM 6.4(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
AnyConnect profile editor |
ASA 8.4(1) ASDM 6.4(1) |
No |
Plus |
Yes |
Yes |
Yes |
User-controllable features |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
Yes |
No |
Connect and Disconnect Features
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Simultaneous clientless & AnyConnect connections |
ASA8.0(4) ASDM 6.3(1) |
No |
Apex |
Yes |
Yes |
Yes |
Start before log on (SBL) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
No |
No |
Run script on connect and disconnect |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
Minimize on connect |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
Auto connect on start |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
Auto reconnect (disconnect on system suspend, reconnect on system resume) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
No |
Remote user VPN establishment (permitted or denied) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
No |
No |
Log-in enforcement (terminate VPN session if another user logs in) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
No |
No |
Retain VPN session (when user logs off, and then when this or another user logs in) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
No |
No |
Trusted network detection (TND) |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
Yes |
Yes |
Always-on (VPN must be connected to access network) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
No |
Always-on exemption via DAP |
ASA 8.3(1) ASDM 6.3(1) |
No |
Plus |
Yes |
Yes |
No |
Connect failure policy (internet access allowed or disallowed if VPN connection fails) |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
No |
Captive portal detection |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus |
Yes |
Yes |
Yes |
Captive portal remediation |
ASA 8.0(4) ASDM 6.3(1) |
Yes, in profile |
Plus |
Yes |
Yes |
No |
Enhanced captive portal remediation |
No dependency |
Yes, in profile |
Plus |
Yes |
No |
No |
Authentication and Encryption Features
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Certificate-only authentication |
ASA 8.0(4) ASDM 6.3(1) |
No
No
|
Plus |
Yes |
Yes |
Yes |
RSA SecurID/SoftID integration |
Plus |
Yes |
No |
No |
||
Smartcard support |
Plus |
Yes |
Yes |
No |
||
SCEP (requires posture module if machine ID is used) |
Plus |
Yes |
Yes |
No |
||
List and select certificates |
Plus |
Yes |
No |
No |
||
FIPS |
Plus |
Yes |
Yes |
Yes |
||
SHA-2 for IPsec IKEv2 (digital signatures, integrity, & PRF) |
ASA 8.0(4) ASDM 6.4(1) |
|
Plus |
Yes |
Yes |
Yes |
Strong encryption (AES-256 & 3des-168) |
Plus |
Yes |
Yes |
Yes |
||
NSA suite-B (IPsec only) |
ASA 9.0 ASDM 7.0 |
No |
Apex |
Yes |
Yes |
Yes |
Enable CRL check |
n/a |
No |
Apex |
Yes |
No |
No |
SAML 2.0 SSO |
ASA 9.7.1 ASDM 7.7.1 |
Yes |
Apex or VPN only |
Yes |
Yes |
Yes |
Enhanced SAML 2.0 |
ASA 9.7.1.24 ASA 9.8.2.28 ASA 9.9.2.1 |
No |
Apex or VPN only |
Yes |
Yes |
Yes |
Multiple-certificate authentication |
ASA 9.7.1 ASDM 7.7.1 |
No |
Plus, Apex, or VPN only |
Yes |
Yes |
Yes |
Interfaces
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
GUI |
ASA 8.0(4) ASDM 6.3(1) |
Dashboard
Yes |
Plus |
Yes |
Yes |
Yes |
Command line |
Yes |
Yes |
Yes |
|||
API |
Yes |
Yes |
Yes |
|||
Microsoft component object module (COM) |
Yes |
No |
No |
|||
Localization of user messages |
Yes |
Yes |
No |
|||
Custom MSI transforms |
Yes |
No |
No |
|||
User defined resource files |
Yes |
Yes |
No |
|||
Client help |
ASA 9.0 ASDM 7.0 |
Yes |
Yes |
Yes |
Yes |
AnyConnect Network Access Manager
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Core |
ASA 8.4(1) ASDM 6.4(1) |
Yes |
Plus |
Yes |
No |
No |
Wired support IEEE 802.3 |
Yes |
|||||
Wireless support IEEE 802.11 |
Yes |
|||||
Pre-log on and single sign-on authentication |
Yes |
|||||
IEEE 802.1X |
Yes |
|||||
IEEE 802.1AE MACsec |
Yes |
|||||
EAP methods |
Yes |
|||||
FIPS 140-2 level 1 |
Yes |
|||||
Mobile broadband support |
ASA 8.4(1) ASDM 7.0 |
Yes |
Yes |
|||
IPv6 |
ASA 9.0 ASDM 7.0 |
No |
Yes |
|||
NGE and NSA suite-B |
Yes |
|||||
TLS 1.2 for VPN connectivity* |
n/a |
Yes |
|
Yes |
No |
No |
AnyConnect Secure Mobility Modules
HostScan and Posture Assessment
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Endpoint Assessment |
ASA 8.0(4) ASDM 6.3(1) |
No |
Apex |
Yes |
Yes |
Yes |
Endpoint Remediation |
Apex |
Yes |
Yes |
Yes |
||
Quarantine |
Apex |
Yes |
Yes |
Yes |
||
Quarantine status & terminate message |
ASA 8.3(1) ASDM 6.3(1) |
No |
Apex |
Yes |
Yes |
Yes |
HostScan package update |
ASA 8.4(1) ASDM 6.4(1) |
No |
Apex |
Yes |
Yes |
Yes |
Host emulation detection |
Apex |
Yes |
No |
No |
||
OPSWAT v4 |
ASA 9.9(1) ASDM 7.9(1) |
No |
Apex |
Yes |
Yes |
Yes |
ISE Posture
Feature |
Minimum AnyConnect Release |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
Change of authorization (CoA) |
4.0 |
ASA 9.2.1 ASDM 7.2.1 |
No |
2.0 |
Plus |
Yes |
Yes |
Yes |
ISE posture profile editor |
4.0 |
ASA 9.2.1 ASDM 7.2.1 |
No |
n/a |
Apex |
Yes |
Yes |
Yes |
AC identity extensions (ACIDex) |
4.0 |
n/a |
No |
2.0 |
Plus |
Yes |
Yes |
Yes |
ISE posture module |
4.0 |
n/a |
No |
2.0 |
Apex |
Yes |
Yes |
No |
Detection of USB mass storage devices (v4 only) |
4.3 |
n/a |
No |
2.1 |
Apex |
Yes |
No |
No |
OPSWAT v4 |
4.3 |
n/a |
No |
2.1 |
Apex |
Yes |
Yes |
No |
Stealth agent for posture |
4.4 |
n/a |
No |
2.2 |
Apex |
Yes |
Yes |
No |
Continuous end-point monitoring |
4.4 |
n/a |
No |
2.2 |
Apex |
Yes |
Yes |
No |
Next-generation provisioning and discovery |
4.4 |
n/a |
No |
2.2 |
Apex |
Yes |
Yes |
No |
Application kill and uninstall capabilities |
4.4 |
n/a |
No |
2.2 |
Apex |
Yes |
Yes |
No |
Cisco temporal agent |
4.5 |
n/a |
No |
2.3 |
ISE Apex |
Yes |
Yes |
No |
Enhanced SCCM approach |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
Yes |
No |
No |
Posture policy enhancements for optional mode |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
Periodic probe interval in profile editor |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
Visibility into hardware inventory |
4.5 |
n/a |
No |
2.3 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
Grace period for noncompliant devices |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
Posture rescan |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
AnyConnect stealth mode notifications |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
Disabling UAC prompt |
4.6 |
n/a |
No |
2.4 |
AC Apex and ISE Apex |
Yes |
No |
No |
Enhanced grace period |
4.7 |
n/a |
No |
2.6 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
Custom notification controls and revamp of remediation windows |
4.7 |
n/a |
No |
2.6 |
AC Apex and ISE Apex |
Yes |
Yes |
No |
Web Security
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Core |
ASA 8.4(1) ASDM 6.4(1) |
No |
Plus |
Yes Yes |
Yes |
No |
Cloud-hosted configuration |
||||||
Secure trusted network detection |
ASA 8.4(1) ASDM 7.0 |
No |
||||
Dynamic configuration elements |
||||||
Fail close/fail open policy |
AMP Enabler
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
AMP enabler |
ASDM 7.4.2 ASA 9.4.1 |
No |
ISE 1.4 |
Plus |
Yes |
Yes |
No |
Network Visibility Module
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
Network visibility module |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Adjustment to the rate at which data is sent |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Customization of NVM timer |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Broadcast and multicast option for data collection |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Creation of anonymization profiles |
ASDM 7.5.1 ASA 9.5.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Broader data collection and anonymization with hashing |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Support for Java as a container |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Configuration of cache to customize |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Periodic flow reporting |
ASDM 7.7.1 ASA 9.7.1 |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Flow filter |
n/a |
Yes, in special NVM profile. Must be deployed locally. |
no ISE dependency |
Apex |
Yes |
Yes |
Yes |
Stand-alone NVM |
n/a |
Yes, in special NVM profile. Must be deployed locally. |
n/a |
Apex |
Yes |
Yes |
Yes |
Umbrella Roaming Security Module
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
Minimum ISE Release |
License Required |
Windows |
Mac |
Linux |
Umbrella roaming security module |
ASDM 7.6.2 ASA 9.4.1 |
Yes, in special Umbrella profile. Must be deployed locally. |
ISE 2.0 |
Either Plus or Apex Umbrella licensing is mandatory |
Yes |
Yes |
No |
Umbrella secure web gateway |
n/a |
Yes, in special Umbrella profile. Must be deployed locally. |
n/a |
SIG Essential package from Umbrella |
Yes |
Yes |
No |
OpenDNS IPv6 support |
n/a |
No, IPv6 |
n/a |
n/a |
Yes |
Yes |
No |
Reporting and Troubleshooting Modules
Customer Experience Feedback
Feature |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
Customer experience feedback |
ASA 8.4(1) ASDM 7.0 |
Yes |
Plus |
Yes |
Yes |
No |
Diagnostic and Report Tool (DART)
Log Type |
Minimum ASA/ASDM Release |
Meraki MX |
License Required |
Windows |
Mac |
Linux |
VPN |
ASA 8.0(4) ASDM 6.3(1) |
Yes |
Plus Apex |
Yes |
Yes |
Yes |
Network access manager |
ASA 8.4(1) ASDM 6.4(1) |
Yes |
Yes |
No |
No |
|
Posture Assessment |
Yes |
Yes |
Yes |
|||
Web security |
Yes |
Yes |
No |