Solved: ASA 5505 licence issue - Page 2

Christophe Carvalho · ‎05-04-2013

Hi,

I'm currently facing a problem with a ASA5505 and It's drivin me nuts !!!

I thing I've set it up from factory defaults...

From the CLI, I can ping an the outside interface, the GW and an outside IP (ex:8.8.8.8).

So I believe that there's no connectivity issue and the configuration is correct.

However, for a reason that I don't know, users can't have access to web pages.

The product license allow me to have 50 host connected. Currently I've only got one host connected...

When I enable syslog, I can see the following messages :

Deny traffic for protocol 17 src inside: 192.168.1.20/64429 dot ouside:8.8.4.4/53, licensed host limit of 0 exceeded.

Where this limitation can come from ??

Have you any Idea ??

Christophe Carvalho · ‎05-04-2013

sh ver

Cisco Adaptive Security Appliance Software Version 8.4(6)

Device Manager Version 7.1(2)102

Compiled on Fri 26-Apr-13 09:00 by builders

System image file is "disk0:/asa846-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 15 mins 12 secs

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Int: Internal-Data0/0 : address is c84c.75e3.d013, irq 11

1: Ext: Ethernet0/0 : address is c84c.75e3.d00b, irq 255

2: Ext: Ethernet0/1 : address is c84c.75e3.d00c, irq 255

3: Ext: Ethernet0/2 : address is c84c.75e3.d00d, irq 255

4: Ext: Ethernet0/3 : address is c84c.75e3.d00e, irq 255

5: Ext: Ethernet0/4 : address is c84c.75e3.d00f, irq 255

6: Ext: Ethernet0/5 : address is c84c.75e3.d010, irq 255

7: Ext: Ethernet0/6 : address is c84c.75e3.d011, irq 255

8: Ext: Ethernet0/7 : address is c84c.75e3.d012, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Restricted

Dual ISPs : Disabled perpetual

VLAN Trunk Ports : 0 perpetual

Inside Hosts : 50 perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 12 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Serial Number: JMX1425421C

Running Permanent Activation Key: 0x7335c65a 0x3ce19aca 0x60734d74 0x94885c3c 0x83122f90

Configuration register is 0x1

Configuration last modified by cisco at 08:55:49.299 UTC Sat May 4 2013

Christophe Carvalho · ‎05-04-2013

debug:

6|May 04 2013|09:00:29|725007|192.168.10.20|49370|||SSL session with client inside:192.168.10.20/49370 terminated.

6|May 04 2013|09:00:29|106015|192.168.10.20|49370|192.168.10.1|443|Deny TCP (no connection) from 192.168.10.20/49370 to 192.168.10.1/443 flags FIN ACK on interface inside

6|May 04 2013|09:00:29|302014|192.168.10.20|49370|192.168.10.1|443|Teardown TCP connection 268 for inside:192.168.10.20/49370 to identity:192.168.10.1/443 duration 0:00:00 bytes 726 TCP Reset-O

6|May 04 2013|09:00:29|605005|192.168.10.20|49370|192.168.10.1|https|Login permitted from 192.168.10.20/49370 to inside:192.168.10.1/https for user "cisco"

6|May 04 2013|09:00:29|725002|192.168.10.20|49370|||Device completed SSL handshake with client inside:192.168.10.20/49370

6|May 04 2013|09:00:29|725001|192.168.10.20|49370|||Starting SSL handshake with client inside:192.168.10.20/49370 for TLSv1 session.

6|May 04 2013|09:00:29|302013|192.168.10.20|49370|192.168.10.1|443|Built inbound TCP connection 268 for inside:192.168.10.20/49370 (192.168.10.20/49370) to identity:192.168.10.1/443 (192.168.10.1/443)

6|May 04 2013|09:00:27|305012|192.168.10.20|55115|192.168.1.66|55115|Teardown dynamic UDP translation from inside:192.168.10.20/55115 to outside:192.168.1.66/55115 duration 0:00:38

6|May 04 2013|09:00:27|305012|192.168.10.20|55558|192.168.1.66|55558|Teardown dynamic UDP translation from inside:192.168.10.20/55558 to outside:192.168.1.66/55558 duration 0:00:38

4|May 04 2013|09:00:25|450001|192.168.10.20|55726|192.168.1.1|53|Deny traffic for protocol 17 src inside:192.168.10.20/55726 dst outside:192.168.1.1/53, licensed host limit of 0 exceeded.

6|May 04 2013|09:00:25|305011|192.168.10.20|55726|192.168.1.66|55726|Built dynamic UDP translation from inside:192.168.10.20/55726 to outside:192.168.1.66/55726

6|May 04 2013|09:00:23|305012|192.168.10.20|51189|192.168.1.66|51189|Teardown dynamic UDP translation from inside:192.168.10.20/51189 to outside:192.168.1.66/51189 duration 0:00:38

6|May 04 2013|09:00:16|302016|0.0.0.0|68|255.255.255.255|67|Teardown UDP connection 222 for outside:0.0.0.0/68 to identity:255.255.255.255/67 duration 0:02:34 bytes 2700

6|May 04 2013|09:00:14|302016|192.168.1.1|67|255.255.255.255|68|Teardown UDP connection 223 for outside:192.168.1.1/67 to identity:255.255.255.255/68 duration 0:02:32 bytes 1096

4|May 04 2013|09:00:13|450001|192.168.10.20|54981|192.168.1.1|53|Deny traffic for protocol 17 src inside:192.168.10.20/54981 dst outside:192.168.1.1/53, licensed host limit of 0 exceeded.

6|May 04 2013|09:00:13|302015|192.168.10.1|67|192.168.10.20|68|Built outbound UDP connection 262 for inside:192.168.10.20/68 (192.168.10.20/68) to identity:192.168.10.1/67 (192.168.10.1/67)

6|May 04 2013|09:00:13|302015|192.168.10.20|68|255.255.255.255|67|Built inbound UDP connection 261 for inside:192.168.10.20/68 (192.168.10.20/68) to identity:255.255.255.255/67 (255.255.255.255/67)

6|May 04 2013|09:00:05|305011|192.168.10.20|54981|192.168.1.66|54981|Built dynamic UDP translation from inside:192.168.10.20/54981 to outside:192.168.1.66/54981

4|May 04 2013|09:00:01|450001|192.168.10.20|51344|192.168.1.1|53|Deny traffic for protocol 17 src inside:192.168.10.20/51344 dst outside:192.168.1.1/53, licensed host limit of 0 exceeded.

6|May 04 2013|09:00:01|305011|192.168.10.20|51344|192.168.1.66|51344|Built dynamic UDP translation from inside:192.168.10.20/51344 to outside:192.168.1.66/51344

6|May 04 2013|08:59:59|606003|192.168.10.20||||ASDM logging session number 0 from 192.168.10.20 started

6|May 04 2013|08:59:59|605005|192.168.10.20|49369|192.168.10.1|https|Login permitted from 192.168.10.20/49369 to inside:192.168.10.1/https for user "cisco"

6|May 04 2013|08:59:59|725002|192.168.10.20|49369|||Device completed SSL handshake with client inside:192.168.10.20/49369

6|May 04 2013|08:59:59|725001|192.168.10.20|49369|||Starting SSL handshake with client inside:192.168.10.20/49369 for TLSv1 session.

6|May 04 2013|08:59:59|302013|192.168.10.20|49369|192.168.10.1|443|Built inbound TCP connection 251 for inside:192.168.10.20/49369 (192.168.10.20/49369) to identity:192.168.10.1/443 (192.168.10.1/443)

6|May 04 2013|08:59:59|725007|192.168.10.20|49368|||SSL session with client inside:192.168.10.20/49368 terminated.

6|May 04 2013|08:59:59|106015|192.168.10.20|49368|192.168.10.1|443|Deny TCP (no connection) from 192.168.10.20/49368 to 192.168.10.1/443 flags FIN ACK on interface inside

6|May 04 2013|08:59:59|302014|192.168.10.20|49368|192.168.10.1|443|Teardown TCP connection 250 for inside:192.168.10.20/49368 to identity:192.168.10.1/443 duration 0:00:00 bytes 699 TCP Reset-O

5|May 04 2013|08:59:59|111010|||||User 'cisco', running 'N/A' from IP 192.168.10.20, executed 'logging enable'

5|May 04 2013|08:59:59|111008|||||User 'cisco' executed the 'logging enable' command.

||||||||-- Syslog Connection Started --