Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1578
Views
10
Helpful
3
Replies

AnyConenct error message when license limit reached?

Go to solution
Michael Muenz
Level 5
Level 5

‎03-19-2020 08:40 AM

Hi,

 

I have 2 ASA's with 250 concurrent AnyConnect peers licensed. Currently I'm hitting 200 users but constantly growing.

I thought that maybe when session limit reached the users will be forwarded to the second (backup) ASA, but this seems not the case: 

https://community.cisco.com/t5/vpn/anyconnect-backup-server-when-session-limit-hit/td-p/1949282

 

Now I'm wondering if anyone every hit the license limit and saw which error the user get's, so I can inform them, if they see this message they shall use "vpn2.domain.com" and not the standard "vpn.domain.com".

 

Thanks

Michael

Michael Please rate all helpful posts
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-19-2020 08:53 AM

Hi,

 

  I'm not sure about the message, could be this one "%ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded". But i don't think you want to get there. Options:

         - implement VPN Load Balancing on the ASA's, which will allow you to make use of both ASA's to the fullest AC licensed capacity; see here and see here

         - separate your users in half let's say, configure two different AnyConnect profiles, one pointing to your primary ASA and the second pointing to your secondary ASA; push each AC profile to the appropriate user-group; you can do this automatically via the ASA

 

Regards,
Cristian Matei.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-19-2020 09:38 AM

The end user will just get a less-than-helpful "Connection Failed" message.

VPN load balancing would be a much better solution. You will need to use multi-SAN or wildcard certificate for that; but the end user experience is then seamless.

View solution in original post

3 Replies 3

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-19-2020 08:53 AM

Hi,

 

  I'm not sure about the message, could be this one "%ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded". But i don't think you want to get there. Options:

         - implement VPN Load Balancing on the ASA's, which will allow you to make use of both ASA's to the fullest AC licensed capacity; see here and see here

         - separate your users in half let's say, configure two different AnyConnect profiles, one pointing to your primary ASA and the second pointing to your secondary ASA; push each AC profile to the appropriate user-group; you can do this automatically via the ASA

 

Regards,
Cristian Matei.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-19-2020 09:38 AM

The end user will just get a less-than-helpful "Connection Failed" message.

VPN load balancing would be a much better solution. You will need to use multi-SAN or wildcard certificate for that; but the end user experience is then seamless.

Go to solution
Michael Muenz
Level 5
Level 5
In response to Marvin Rhoads

‎03-20-2020 01:14 AM

Thx guys for your replies! Currently I'm also using the two clusters also for 80 cisco routers and EasyVPN. So the IOS router have main IP as primary and secondary as backup in EasyVPN. Would a switch to VPN load-balancing also affect EasyVPN? 

Michael Please rate all helpful posts
0 Helpful
Customers Also Viewed These Support Documents