05-27-2014 05:16 AM - edited 03-11-2019 09:14 PM
Hi,
I have a ASA 5505 with base 50-user license deployed for a 15 people branch office. But recently ASA started to block internal host since license reached MAX 50.
I did show local-host on ASA and then manually filtered output in spreadsheet and there are only about 20 individual internal IP addresses.
According to Cisco,
In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.
So individual internal IP address will be counted against license on ASA, right? Then where are the other 30 hosts? The ASA is running 8.2(5).
Thanks,
/S
05-27-2014 05:31 AM
Are you using hairpinning? If so, you might be running into this bug: https://tools.cisco.com/bugsearch/bug/CSCsk49506
--
Please remember to select a correct answer and rate
05-27-2014 06:06 AM
Thanks, We do not have the hairpinning setup for the branch...plus the defect is on 8.0 code and we are running 8.2(5).
05-27-2014 06:17 AM
The 8.0 code only means that is the code that it has been reported in...doesn't necessarily mean that it is not found in the 8.2 code...but since you are not doing hairpinning this bug doesn't relate to your issue anyway.
Do your users connect their mobile phones and Tabs to the network as well? How many printers, servers, and any other none user devices connect to the network?
--
Please remember to select a correct answer and rate
05-27-2014 06:33 AM
Not many phone/tablets...
Digged deeper and manually filter again with output from show local brief connection, it shows about pretty much all the IP from DHCP pool are there... Either the ASA is crazy or there is a device exhausting dhcp pool internally, I think...
05-27-2014 06:48 AM
Is it the ASA that is the DHCP server? If so, issue the show dhcp binding
If not have a look on the DHCP server and see if a single host is taking up the IPs.
--
Please remember to select a correct answer and rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide