cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

139
Views
0
Helpful
2
Replies
Highlighted
Beginner

ASA 5505 - Site to Site VPN - Concurrent Connections limitation

Hi Team,

Quick question, I am establishing a site-to-site VPN between a Cloud Provider and one of our customers.

Our customer is using Cisco ASA 5505.

We are supposed to have reachability to 11 devices, but it appears to be random that we can connect to only 7 of them.

Even after a reset, we connected to 7 again, even when some of them were different from the previous 7.

There is any capacity, configuration or licensing issue that can be liming the number of concurrent connections allowed on the tunnel?

Regards, Emilio

Everyone's tags (1)
2 REPLIES
Beginner

Re: ASA 5505 - Site to Site VPN - Concurrent Connections limitation

Emillio,

I would suggest you to open tech support case.

Regards,

Leon

Enthusiast

Re: ASA 5505 - Site to Site VPN - Concurrent Connections limitation

Emilio,

I'm not sure if you have figured this out yet but ASA 5505's had a connection limitation license (called "inside hosts limit"). As well as some other interesting licenses (restricted DMZ is the other one that impacts people a lot).

The "inside hosts" limit is set to 10 or unlimited based on the license the ASA was purchased with. I believe the license that set this to unlimited (as well as removed the restricted DMZ) was the "security plus" license but I'm not 100% sure as the 5505's are end of sale now so I don't have to worry about their licensing any more.

I'm assuming your ASA 5505 was licensed for 10 "inside hosts" as seen below. So the question is why can you only get to 7 devices instead of 10? Well the answer is you probably have multiple TCP connections going to a couple of those devices or something else taking up the other 3 connections. The ASA doesn't really count up "inside hosts" to enforce this license limit. It just limits the connection table from holding more than 10 entries to enforce it. You could check the entries in the connection table with a "show conn" to see what the actual connections are that are using up your 10. Once you fill up the table with its 10 entries every new connection is dropped.

This licensing was pretty unpopular and Cisco scrapped it for the 5506-X that replaced the 5505...thankfully! To check if you have this license limitation use the "show ver" command and look for the "inside hosts" license as seen below. If it shows 10 (like it does below) instead of "unlimited" or "unrestricted" that is your problem:

Screenshot.png

As far as limitations to how many connections are allowed over an IPSEC VPN I have never seen that in an ASA. I suppose you could do something custom with a policy map to inflect that pain but nothing normal would do it. It is much more likely that you are hitting a total connection limit form this license issue.

Thanks!

Mark

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions