Cisco AnyConnect - cannot have more than 6 users connected

roliveira11 · ‎03-18-2020

Hello Cisco Community!!

I have an ASA5512 running 9.1(2) firmware with 4.x anyconnect software package and with 250 remote access vpn licenses installed but only 6 users can connect at a time. There seems to be no vpn session limit set in group-policy for vpn.. not sure what the root cause could be..we have 6 users connect..and the 7th is unable to..regardless of device or Anyconnect version...when 1 of the 6 existing users disconnect, the 7th user is then able to connect(making it the 6th user)..any insight would be greatly appreciated!

Karsten Iwen · ‎03-19-2020

look if you have this command configured:

asa# show run vpn-sessiondb
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 6

If yes, just remove it.

roliveira11 · ‎03-19-2020

Hello! Thank you for the reply! The setting was set to INHERIT on the group policy.. we've since hardset it to 250.. and still only 6 users can connect.. when attempting to do debugs on anyconnect.. I see none.. attempting to do captures on outside interface for my public IP coming in, still see nothing.. but when one of the 6 users disconnect.. 1 user is then able to connect no problem.. bringing the total to 6 users again.. so so strange.. Below are some outputs Ive gathered.. hopefully they're helpful!!

!

HNC# show vpn-sessiondb summary
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 6 : 511 : 8 : 0
SSL/TLS/DTLS : 6 : 511 : 8 : 0
Clientless VPN : 0 : 12 : 3
Browser : 0 : 12 : 3
Site-to-Site VPN : 1 : 2694 : 2
IKEv1 IPsec : 1 : 2694 : 2
---------------------------------------------------------------------------
Total Active and Inactive : 7 Total Cumulative : 3217
Device Total VPN Capacity : 250
Device Load : 3%
---------------------------------------------------------------------------

!

HNC# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : DISABLED : 250 : 2 : 250
AnyConnect Essentials : ENABLED : 250 : 250 : 250
Other VPN (Available by Default) : ENABLED : 250 : 250 : 250
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : DISABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
All : Peak : Eff. :
In Use : In Use : Limit : Usage
---------------------------------
AnyConnect Essentials : : 6 : 8 : 250 : 2%
Anyconnect Client : : 6 : 8 : 250 : 2%
<--- More ---> Clientless VPN : : 0 : 3 : 250 : 0%
Other VPN : : 1 : 2 : 250 : 0%
L2TP Clients
Site-to-Site VPN : : 1 : 2 : 250 : 0%
---------------------------------------------------------------------------

HNC#

!

!
!

HNC# show version

Cisco Adaptive Security Appliance Software Version 9.12(1)
Firepower Extensible Operating System Version 2.6(1.113)
Device Manager Version 7.12(1)

Compiled on Wed 13-Mar-19 13:53 PDT by builders
System image file is "disk0:/asa9-12-1-smp-k8.bin"
Config file at boot was "startup-config"

HNC up 148 days 7 hours

Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2800 MHz, 1 CPU (2 cores)
ASA: 1666 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 4096MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is 6412.25e4.00a0, irq 11
<--- More ---> 1: Ext: GigabitEthernet0/0 : address is 6412.25e4.00a4, irq 10
<--- More ---> 2: Ext: GigabitEthernet0/1 : address is 6412.25e4.00a1, irq 10
3: Ext: GigabitEthernet0/2 : address is 6412.25e4.00a5, irq 5
4: Ext: GigabitEthernet0/3 : address is 6412.25e4.00a2, irq 5
5: Ext: GigabitEthernet0/4 : address is 6412.25e4.00a6, irq 10
6: Ext: GigabitEthernet0/5 : address is 6412.25e4.00a3, irq 10
7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
10: Ext: Management0/0 : address is 6412.25e4.00a0, irq 0
11: Int: Internal-Data0/3 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
<--- More ---> AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: FCH1812JMKU
Configuration register is 0x1

Image type : Release
Key version : A

Configuration last modified by enable_15 at 14:27:42.655 EDT Wed Mar 18 2020
HNC#

!

!
!

HNC# show run webvpn
webvpn
enable OUTSIDE
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 4
anyconnect profiles AnyConnectPCF disk0:/anyconnectpcf.xml
anyconnect profiles MacVPN_client_profile disk0:/MacVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
HNC#

!
!
!
!

HNC# show run vpn-sessiondb
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 250
HNC#

!
!
!

webvpn

enable OUTSIDE
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 4
anyconnect profiles AnyConnectPCF disk0:/anyconnectpcf.xml
anyconnect profiles MacVPN_client_profile disk0:/MacVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_MacVPN internal
group-policy GroupPolicy_MacVPN attributes
wins-server none
dns-server value 192.168.16.10
vpn-tunnel-protocol ikev2 ssl-client
default-domain value hnc.local
webvpn
anyconnect profiles value MacVPN_client_profile type user
group-policy Anyconnect internal
group-policy Anyconnect attributes
wins-server none
dns-server value 192.168.16.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MainNetwork
default-domain value hnc.local
webvpn
anyconnect profiles value AnyConnectPCF type user
dynamic-access-policy-record No_Access
action terminate
dynamic-access-policy-record DfltAccessPolicy
username focus password ***** pbkdf2 privilege 15
username cisco password ***** encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool POOL
authentication-server-group LDAP
default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable
tunnel-group MacVPN type remote-access
tunnel-group MacVPN general-attributes
address-pool POOL
authentication-server-group LDAP
default-group-policy GroupPolicy_MacVPN
tunnel-group MacVPN webvpn-attributes
group-alias MacVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0ed8f5b1956b59dd39308849dd6b8262
: end

Cristian Matei · ‎03-19-2020

Hi,

Can you post the DART logs from AnyConnect?

Regards,
Cristian Matei.

roliveira11 · ‎03-20-2020

I'll have to figure out how to retrieve the DART logs

Matthew Franks · ‎03-20-2020

Here are the steps to gather the DART logs. Will be helpful in determining the issue. It will contain a lot of information you may not want posted to the entire community so I would suggest opening a TAC case with this information if this is not in a lab.
https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025

Thanks,
Matt