Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2453
Views
0
Helpful
3
Replies

CISCO ASA 5505 Exhausted License & Windows 10 Update ????

mikael.emanuelsson
Level 1
Level 1

‎04-13-2017 02:00 AM - edited ‎03-12-2019 02:13 AM

Hi

I have an issue where I get complaints that the CISCO ASA 5505 that we have deployed around the country "closes ports" randomly. We have been trying to nail this not to precise error description reported to us for a while. We believe that it is related to exhaustion of licenses. Most of our customers firewalls have a 50 license and that should be plenty since they typically have around 5-10 devices connected.

Today we had a spike in our central logging where multiple devices reported l "licensed host limit of 50 exceeded" at the same time and there is just the odd one otherwise.

What I am wondering is if can have anything to do with Window 10 updates. There was a new update available the 12th of April (https://support.microsoft.com/en-us/help/4015217). I suspect that the "Windows 10  Peer-to-Peer Update" doesn't really play nicely with the licensing in the Cisco.

Anyone else that recognize the issue? Anyone with some clever insight - if this can be the case? Any pointers on how to verify it if so.

/Mikael

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-14-2017 12:13 AM

The windows update wont have anything to do with it.  The licences are counted based on the number of MAC addresses on the inside of the firewall.

Try to upgrade some hardware ...

0 Helpful

mikael.emanuelsson
Level 1
Level 1
In response to Philip D'Ath

‎04-15-2017 11:40 AM

Hi 

Thanks for the reply.

That is my understanding to, but I don't get the numbers to add up. Might be that I'm a bit daft - but there must be something that I'm missing.

Pulled the below from one of the ASA's we have deployed. It's a typical set of hosts inside i.e. IPs 10.30.34.X. All external IP's are substituted to 8.8.8.0/24 IPs to mask the true IPs (if they would be sensitive in the eyes of the customer, for some reason).

So given the below - what is consuming the 20 licenses?

And is there a simple command to find out? I though that "show local-host all | include to outside" would show the ones using licenses - but it doesn't seem to.

clear xlate
-------------------------------------------------------------------------
Result of the command: "clear xlate"

The command has been sent to the device

sh local-host connection | inc licensed
-------------------------------------------------------------------------
Result of the command: "sh local-host connection | inc licensed"

Current host count: 20, towards licensed host limit of: 50


sh arp
-------------------------------------------------------------------------
Result of the command: "sh arp"

inside 10.30.34.1 5065.f34a.ffd1 1
inside 10.30.34.11 300e.d54c.1ce4 45
inside 10.30.34.37 0040.8cf4.46ed 93
inside 10.30.34.62 a0f3.c13f.9318 4187
inside 10.30.34.21 0008.192c.0ec3 7937
inside 10.30.34.61 a0f3.c13f.932d 8027
outside 8.8.8.19 00c1.6431.f5fc 6497


show local-host all | include to outside
-------------------------------------------------------------------------
Result of the command: "show local-host all | include to outside"

The command has been sent to the device


sh local-host all
-------------------------------------------------------------------------
Result of the command: "sh local-host all"

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
Current host count: 20, towards licensed host limit of: 50

Interface outside: 18 active, 275 maximum active, 0 denied
local host: <8.8.8.0>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited

Conn:
UDP outside 8.8.8.0:123 NP Identity Ifc 8.8.8.2:65535, idle 0:00:13, bytes 1630224, flags -
local host: <8.8.8.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.1:3129 inside 10.30.34.37:56091, idle 0:00:04, bytes 9706, flags UIO
local host: <8.8.8.3>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.3:443 inside 10.30.34.1:52110, idle 0:00:01, bytes 29543, flags UIO
local host: <8.8.8.4>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.4:993 inside 10.30.34.1:52121, idle 0:00:23, bytes 6788, flags UIO
local host: <8.8.8.5>,
TCP flow count/limit = 2/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.5:443 inside 10.30.34.1:52116, idle 0:00:23, bytes 16943, flags UIO
TCP outside 8.8.8.5:443 inside 10.30.34.1:52115, idle 0:01:07, bytes 10798, flags UIO
local host: <8.8.8.6>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.6:80 inside 10.30.34.1:52123, idle 0:00:24, bytes 1168, flags UIO
local host: <8.8.8.7>,
TCP flow count/limit = 3/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.7:52416 NP Identity Ifc 8.8.8.2:443, idle 0:00:00, bytes 138, flags UOB
TCP outside 8.8.8.7:52363 NP Identity Ifc 8.8.8.2:443, idle 0:00:02, bytes 485768, flags UOB
TCP outside 8.8.8.7:52360 NP Identity Ifc 8.8.8.2:443, idle 0:00:00, bytes 1094734, flags UOB
local host: <8.8.8.8>,
TCP flow count/limit = 2/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.8:443 inside 10.30.34.11:49316, idle 0:00:21, bytes 17641, flags UIO
TCP outside 8.8.8.8:443 inside 10.30.34.11:49315, idle 0:00:00, bytes 3435375, flags UIO
local host: <8.8.8.9>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.9:80 inside 10.30.34.1:52122, idle 0:00:04, bytes 1546, flags UFRIO
local host: <8.8.8.10>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.10:443 inside 10.30.34.11:49313, idle 0:00:07, bytes 24990, flags UIO
local host: <8.8.8.11>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited

Conn:
UDP outside 8.8.8.11:514 NP Identity Ifc 8.8.8.2:514, idle 0:00:00, bytes 930501881, flags -
local host: <8.8.8.12>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited

Conn:
UDP outside 8.8.8.12:3544 inside 10.30.34.1:58860, idle 0:00:06, bytes 3134, flags -
local host: <8.8.8.13>,
TCP flow count/limit = 2/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.13:80 inside 10.30.34.11:49366, idle 0:00:04, bytes 33040, flags UIO
TCP outside 8.8.8.13:80 inside 10.30.34.11:49365, idle 0:00:04, bytes 21431, flags UIO
local host: <8.8.8.14>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited

Conn:
UDP outside 8.8.8.14:67 NP Identity Ifc 8.8.8.2:68, idle 0:01:45, bytes 548, flags -
local host: <8.8.8.15>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.15:443 inside 10.30.34.1:52111, idle 0:00:29, bytes 6369, flags UIO
local host: <8.8.8.16>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.16:443 inside 10.30.34.11:49413, idle 0:00:23, bytes 4413, flags UIO
local host: <8.8.8.17>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Conn:
TCP outside 8.8.8.17:443 inside 10.30.34.1:52112, idle 0:00:29, bytes 6369, flags UIO
local host: <8.8.8.18>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited

Conn:
UDP outside 8.8.8.18:500 NP Identity Ifc 8.8.8.2:500, idle 0:01:18, bytes 44104, flags -
Interface inside: 3 active, 5 maximum active, 0 denied
local host: <10.30.34.1>,
TCP flow count/limit = 8/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited

Xlate:
PAT Global 8.8.8.2(39147) Local 10.30.34.1(52123)
PAT Global 8.8.8.2(57942) Local 10.30.34.1(61243)
PAT Global 8.8.8.2(33825) Local 10.30.34.1(52122)
PAT Global 8.8.8.2(43803) Local 10.30.34.1(52086)
PAT Global 8.8.8.2(59235) Local 10.30.34.1(52121)
PAT Global 8.8.8.2(25833) Local 10.30.34.1(50679)
PAT Global 8.8.8.2(48146) Local 10.30.34.1(57085)
PAT Global 8.8.8.2(40262) Local 10.30.34.1(52116)
PAT Global 8.8.8.2(10295) Local 10.30.34.1(52115)
PAT Global 8.8.8.2(24614) Local 10.30.34.1(52112)
PAT Global 8.8.8.2(14089) Local 10.30.34.1(52111)
PAT Global 8.8.8.2(54162) Local 10.30.34.1(52110)
PAT Global 8.8.8.2(29322) Local 10.30.34.1(58860)

Conn:
TCP outside 8.8.8.6:80 inside 10.30.34.1:52123, idle 0:00:24, bytes 1168, flags UIO
TCP outside 8.8.8.9:80 inside 10.30.34.1:52122, idle 0:00:04, bytes 1546, flags UFRIO
TCP outside 8.8.8.4:993 inside 10.30.34.1:52121, idle 0:00:23, bytes 6788, flags UIO
TCP outside 8.8.8.5:443 inside 10.30.34.1:52116, idle 0:00:23, bytes 16943, flags UIO
TCP outside 8.8.8.5:443 inside 10.30.34.1:52115, idle 0:01:07, bytes 10798, flags UIO
TCP outside 8.8.8.17:443 inside 10.30.34.1:52112, idle 0:00:29, bytes 6369, flags UIO
TCP outside 8.8.8.15:443 inside 10.30.34.1:52111, idle 0:00:29, bytes 6369, flags UIO
TCP outside 8.8.8.3:443 inside 10.30.34.1:52110, idle 0:00:01, bytes 29543, flags UIO
UDP outside 8.8.8.12:3544 inside 10.30.34.1:58860, idle 0:00:06, bytes 3134, flags -
local host: <10.30.34.37>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Xlate:
PAT Global 8.8.8.2(64180) Local 10.30.34.37(56091)

Conn:
TCP outside 8.8.8.1:3129 inside 10.30.34.37:56091, idle 0:00:04, bytes 9706, flags UIO
local host: <10.30.34.11>,
TCP flow count/limit = 6/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited

Xlate:
PAT Global 8.8.8.2(17937) Local 10.30.34.11(49413)
PAT Global 8.8.8.2(15687) Local 10.30.34.11(49366)
PAT Global 8.8.8.2(17481) Local 10.30.34.11(49365)
PAT Global 8.8.8.2(54559) Local 10.30.34.11(49316)
PAT Global 8.8.8.2(55892) Local 10.30.34.11(49315)
PAT Global 8.8.8.2(64704) Local 10.30.34.11(49313)

Conn:
TCP outside 8.8.8.16:443 inside 10.30.34.11:49413, idle 0:00:23, bytes 4413, flags UIO
TCP outside 8.8.8.13:80 inside 10.30.34.11:49366, idle 0:00:04, bytes 33040, flags UIO
TCP outside 8.8.8.13:80 inside 10.30.34.11:49365, idle 0:00:04, bytes 21431, flags UIO
TCP outside 8.8.8.8:443 inside 10.30.34.11:49316, idle 0:00:21, bytes 17641, flags UIO
TCP outside 8.8.8.8:443 inside 10.30.34.11:49315, idle 0:00:00, bytes 3435375, flags UIO
TCP outside 8.8.8.10:443 inside 10.30.34.11:49313, idle 0:00:07, bytes 24990, flags UIO
Interface _internal_loopback: 0 active, 0 maximum active, 0 denied
Interface NP Identity Ifc: 1 active, 3 maximum active, 0 denied
local host: <8.8.8.2>,
TCP flow count/limit = 3/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 4/unlimited

Conn:
UDP outside 8.8.8.14:67 NP Identity Ifc 8.8.8.2:68, idle 0:01:45, bytes 548, flags -
UDP outside 8.8.8.18:500 NP Identity Ifc 8.8.8.2:500, idle 0:01:18, bytes 44104, flags -
UDP outside 8.8.8.0:123 NP Identity Ifc 8.8.8.2:65535, idle 0:00:13, bytes 1630224, flags -
UDP outside 8.8.8.11:514 NP Identity Ifc 8.8.8.2:514, idle 0:00:00, bytes 930501881, flags -
TCP outside 8.8.8.7:52416 NP Identity Ifc 8.8.8.2:443, idle 0:00:00, bytes 138, flags UOB
TCP outside 8.8.8.7:52363 NP Identity Ifc 8.8.8.2:443, idle 0:00:02, bytes 485768, flags UOB
TCP outside 8.8.8.7:52360 NP Identity Ifc 8.8.8.2:443, idle 0:00:00, bytes 1094734, flags UOB

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to mikael.emanuelsson

‎04-15-2017 04:21 PM

That wont give you an accurate list.  That only shows what is using the ASA now.  It wont show a notebook that has been bought into the office, used, and left again.  The licence is not "concurrent" but total devices seen (at least that is my understanding).

If you have WiFi you might find every device will consume two licences as well, since it will have an Ethernet and a WiFi MAC address.

This PDF has more info:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.pdf

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card