Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1043
Views
0
Helpful
2
Replies

Traffic being rejected by ASA 5505

davealessi
Beginner
Beginner

‎12-04-2013 11:32 AM - edited ‎03-11-2019 08:12 PM

                   I recently began having issues with customer traffic being rejected by my ASA.  I wasn't really aware of it until it becme critical.

I looked at the asa 5505 log today and saw a message as follows:

4Dec 04 201308:03:2045000172.15.235.11Deny traffic for protocol 6 src outside:173.165.205.241/6588 dst inside:72.15.235.11/443, licensed host limit of 10 exceeded.

What does this mean?  I am not aware of any license restrictions on the box.

I am also seeing another deny message but I don;t understand it.

4Dec 04 201308:03:1710602395.76.86.22672.15.235.1Deny tcp src outside:95.76.86.226/1227 dst outside:72.15.235.1/445 by access-group "outside_access_in" [0x0, 0x0]

My issue has gone critical.  Any guideance would be appreciated.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2013 11:43 AM

Hi,

The first log message seems to indicate that the ASA5505 Licensed host limit has been reached.

The ASA5505 to my understanding has atleast 3 different levels of host licensing.

  • 10 users
  • 50 users
  • Unlimited Users

And of those to my understanding the 10 user limit is for the Base License unit, 50 user limit is sold separately for a Base License (or as a bundle) unit and Unlimited is either sold separately for a Base License unit (or as a bundle) or is included with a Security Plus license of the unit. I am not 100% sure about this but that is how I remember it.

The user licensing should work so that the hosts behind the interface holding the Default Route arent considered/counted towards this limit. Only users on your LAN interface or DMZ interface are counted towards this limit.

You should check the following commands output to get a clearer information of the current situation

View the license with

show version

Show the amount of users counted towards the license limit

show local-host

Look at the top part of the output.

Here is an example from my own home ASA5505 with Base License only

ASA# sh local-host

Detected interface 'WAN' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 3, towards licensed host limit of: 10

There is also some bugs in the newer softwares that might cause problems even though the user limit is not reached.

The second log message you posted is simply the ASA denying traffic based on your ACL called "outside_access_in"

The [0x0, 0x0] at the end indicates that the traffic hits the Implicit Deny rule at the end. This rule doesnt show in the ACL but is the basic well known rule that means that all traffic that is not allowed in the ACL before the end of the ACL is blocked.

I dont see anything out of the ordinary in the log message.

But as I said the first one seems to indicate that you have reached the 10 user limit which would indicate you have a basic ASA5505 with Base License only

Have a look at this Cisco document about the ASA5505 Licensing/Bundle options

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-04-2013 11:47 AM

Hello,

Basically you have an ASA 5505 where by default you will only be able to support up to 10 different hosts on the internal network to innitiate traffic to the lower security level interface.

You can upgrade the license to 50 or to unlimitted users.

(You could aso use a proxy and bypass the license restriction)

I am also seeing another deny message but I don;t understand it.

4Dec 04 201308:03:1710602395.76.86.22672.15.235.1Deny tcp src outside:95.76.86.226/1227 dst outside:72.15.235.1/445 by access-group "outside_access_in" [0x0, 0x0]

This one talks about a connection being denied by the access-list applied on the outside interface

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents