11-02-2010 09:30 AM - edited 03-11-2019 12:03 PM
We have an ASA 5505 with the Base license installed.
The ASA is at the Head Office and has 8 VPN's coming into it from various branch sites.
The local users at the head office use the ASA as the Default Gateway to get onto the internet however every now and then the internet will not work.....
I have narrowed it down to the following syslog error:
Number: 450001
Deny traffic for protocol 6 src inside:192.168.120.105/51689 dst outside:WEBSITEIP, licensed host limit of 10 exceeded
This pertains to the standard 10 user license which is determined by how many inside IP's there are in the Xlate table i believe....please correct me if i am wrong,as i am sure i am...?
Would someone be kind enough to try and help me confirm that all the licenses are in use by advising what commands to use etc.
The commands i know of are below and the output is attached.
'Show version' - Sows me that there are 10 licenses
'show xlate' - Shows the current translation table
'clear xlate' - Clears the translation table which should enable my one test PC through as long as i am quick enough!
I have included the config on the ASA with anything in Italic items that i have removed to keep the informatio private (IP's etc)
Is there any way that i can make sure one particular IP is allowed through everytime?
Is there any command that will tell me what IP addresses are using a license or how many licenses are in use out of the 10?
Thanks in advance for anyone who tried to assist.
Cheers
Jon
11-02-2010 09:39 AM
Hi,
You have the ASA 5505 accepting up to 10 VPN peers and with a Base License which means allows up to 10-user Firewall connections through the ASA at the same time.
To check the amount of inside hosts going through the ASA at any given moment use the command ''sh local-host'
You can think of the 10-user connections as 10 local-hosts connections.
Each local-host connection is a combination of IP and TCP/UDP or L4 information for each host.
You can increase the 10-user license by adding either a 50-user license or unlimited user license.
Hope it helps.
Federico.
11-02-2010 09:46 AM
Thanks Federico, ill try that the next time it plays up and see how many local hosts there are....
Thanks
Jon
11-04-2010 03:18 AM
The problem outlined above is definetly the 10 user license. The problem has occurred this morning and the Show Local-Host confirms the 10 license has been hit.
However.... i have been trying to interpret the output of the Sh local-host command so i can see what connections/IP's are using a license? could anyone assist in this and may point me in the right direction?
I have attached the output with the publi ip's replaced with the word and would just like to know which 10 connections are using a license?
Again, any help would be much apreciated
Regards
Jon
11-04-2010 08:03 AM
You can think of a local-host as a combination of layer 3 and layer 4 information where the ASA keeps track of source/destination IP, source/destination ports and protocol used to identify a flow.
In the output you have translations and connections.
Translations are represented in the ASA by XLATEs (layer 3 information)
Connections are represented in the ASA by CONNs (layer 4 information)
Translations represent IP NAT
Connections represent TCP/UDP information.
You can have many connections in a single XLATE, but you cannot have connections without translations (if using NAT).
Federico.
07-30-2015 03:39 AM
can anyone tell me how can I increase the license from 10 user to 50 users?
which service sku/Product SKU to be used?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide