cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1433
Views
10
Helpful
3
Replies

AnyConenct error message when license limit reached?

Michael Muenz
Level 5
Level 5

Hi,

 

I have 2 ASA's with 250 concurrent AnyConnect peers licensed. Currently I'm hitting 200 users but constantly growing.

I thought that maybe when session limit reached the users will be forwarded to the second (backup) ASA, but this seems not the case: 

https://community.cisco.com/t5/vpn/anyconnect-backup-server-when-session-limit-hit/td-p/1949282

 

Now I'm wondering if anyone every hit the license limit and saw which error the user get's, so I can inform them, if they see this message they shall use "vpn2.domain.com" and not the standard "vpn.domain.com".

 

Thanks

Michael

Michael Please rate all helpful posts
2 Accepted Solutions

Accepted Solutions

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

  I'm not sure about the message, could be this one "%ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded". But i don't think you want to get there. Options:

         - implement VPN Load Balancing on the ASA's, which will allow you to make use of both ASA's to the fullest AC licensed capacity; see here and see here

         - separate your users in half let's say, configure two different AnyConnect profiles, one pointing to your primary ASA and the second pointing to your secondary ASA; push each AC profile to the appropriate user-group; you can do this automatically via the ASA

 

Regards,
Cristian Matei.

View solution in original post

Marvin Rhoads
Hall of Fame
Hall of Fame

The end user will just get a less-than-helpful "Connection Failed" message.

VPN load balancing would be a much better solution. You will need to use multi-SAN or wildcard certificate for that; but the end user experience is then seamless.

View solution in original post

3 Replies 3

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

  I'm not sure about the message, could be this one "%ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded". But i don't think you want to get there. Options:

         - implement VPN Load Balancing on the ASA's, which will allow you to make use of both ASA's to the fullest AC licensed capacity; see here and see here

         - separate your users in half let's say, configure two different AnyConnect profiles, one pointing to your primary ASA and the second pointing to your secondary ASA; push each AC profile to the appropriate user-group; you can do this automatically via the ASA

 

Regards,
Cristian Matei.

Marvin Rhoads
Hall of Fame
Hall of Fame

The end user will just get a less-than-helpful "Connection Failed" message.

VPN load balancing would be a much better solution. You will need to use multi-SAN or wildcard certificate for that; but the end user experience is then seamless.

Thx guys for your replies! Currently I'm also using the two clusters also for 80 cisco routers and EasyVPN. So the IOS router have main IP as primary and secondary as backup in EasyVPN. Would a switch to VPN load-balancing also affect EasyVPN? 

Michael Please rate all helpful posts