licensed host limit of 10 exceeded!?!

etxsthl100761 · ‎11-23-2007

ASA5505 8.0(2) with standard license.

1 server

1 SSL VPN AnyConnect client

1 outside interface

Since my SSL VPN client sets the default route I thought I try to reach internet via my ASA.

"Deny traffic for protocol 6 src outside:10.200.0.10/2489 dst outside:87.248.113.14/80, licensed host limit of 10 exceeded"

10.200.0.10 being my SSL VPN client.

I understand how (outside vpn) -> (outside) NAT might be a problem but why is the license check being triggered?

Any ideas on how to get SSL VPN NAT'ed to outside?

TIA

JORGE RODRIGUEZ · ‎11-23-2007

You would need at least to upgrade your license to brake the 10 users limitation with ASA5505-50-BUN-K9. Outbound vpn/ssl is within the 10 user license limitation How many concurrent users/connections do you have?

Reref to this link for detail information. http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html

Pls rate any helpful posts !

HTH

Jorge

Jorge Rodriguez

zac ragoonath · ‎06-28-2012

Thanks for that slick Jorge.

Jason Gervia · ‎12-03-2007

Do a 'show ver' and see what your webvpn peers license is.

If you do a 'show vpn-sessiondb summary' you can see how many sessions are currently in use for sslvpn and whether that exceeds the webvpn peers line in your 'show ver'

--Jason

etxsthl100761 · ‎12-04-2007

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Advanced Endpoint Assessment : Disabled

This platform has a Base license.

...

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent

SSL VPN : 1 : 22 : 2

Clientless only : 0 : 10 : 2

With client : 1 : 12 : 1

Email Proxy : 0 : 0 : 0

IPsec LAN-to-LAN : 0 : 0 : 0

IPsec Remote Access : 0 : 0 : 0

Totals : 1 : 22

License Information:

IPsec : 10 Configured : 10 Active : 0 Load : 0%

SSL VPN : 2 Configured : 2 Active : 1 Load : 50%

Total : 12 Configured : 12 Active : 1 Load : 8%

Active : Cumulative : Peak Concurrent

IPsec : 0 : 0 : 0

SSL VPN : 1 : 22 : 2

Totals : 1 : 22

Tunnels:

Active : Cumulative : Peak Concurrent

Clientless : 1 : 22 : 2

SSL-Tunnel : 1 : 14 : 1

DTLS-Tunnel : 0 : 2 : 1

Totals : 2 : 38

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

...

Only me, myself and I on this box so the license should be sufficient.

I get this rejection when I try to reach an IP beyond the default gw of my ASA from my AnyConnect client.

However if I try to reach something on the outside subnet it will send on the outside interface but without NAT'ing the source address( see attached capture)

Jason Gervia · ‎12-10-2007

Hello,

The problem is that you have a restricted license that says only 10 users (read, 10 IP addresses with packets going to/from them at a time on the highest security level interface). It's not a VPN license issue - you'll have to get a new license if you want to reach more than 10 machines on the inside of your network.