03-19-2020 08:40 AM
Hi,
I have 2 ASA's with 250 concurrent AnyConnect peers licensed. Currently I'm hitting 200 users but constantly growing.
I thought that maybe when session limit reached the users will be forwarded to the second (backup) ASA, but this seems not the case:
https://community.cisco.com/t5/vpn/anyconnect-backup-server-when-session-limit-hit/td-p/1949282
Now I'm wondering if anyone every hit the license limit and saw which error the user get's, so I can inform them, if they see this message they shall use "vpn2.domain.com" and not the standard "vpn.domain.com".
Thanks
Michael
Solved! Go to Solution.
03-19-2020 08:53 AM
Hi,
I'm not sure about the message, could be this one "%ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded". But i don't think you want to get there. Options:
- implement VPN Load Balancing on the ASA's, which will allow you to make use of both ASA's to the fullest AC licensed capacity; see here and see here
- separate your users in half let's say, configure two different AnyConnect profiles, one pointing to your primary ASA and the second pointing to your secondary ASA; push each AC profile to the appropriate user-group; you can do this automatically via the ASA
Regards,
Cristian Matei.
03-19-2020 09:38 AM
The end user will just get a less-than-helpful "Connection Failed" message.
VPN load balancing would be a much better solution. You will need to use multi-SAN or wildcard certificate for that; but the end user experience is then seamless.
03-19-2020 08:53 AM
Hi,
I'm not sure about the message, could be this one "%ASA-3-316001: Denied new tunnel to IP_address. VPN peer limit (platform_vpn_peer_limit) exceeded". But i don't think you want to get there. Options:
- implement VPN Load Balancing on the ASA's, which will allow you to make use of both ASA's to the fullest AC licensed capacity; see here and see here
- separate your users in half let's say, configure two different AnyConnect profiles, one pointing to your primary ASA and the second pointing to your secondary ASA; push each AC profile to the appropriate user-group; you can do this automatically via the ASA
Regards,
Cristian Matei.
03-19-2020 09:38 AM
The end user will just get a less-than-helpful "Connection Failed" message.
VPN load balancing would be a much better solution. You will need to use multi-SAN or wildcard certificate for that; but the end user experience is then seamless.
03-20-2020 01:14 AM
Thx guys for your replies! Currently I'm also using the two clusters also for 80 cisco routers and EasyVPN. So the IOS router have main IP as primary and secondary as backup in EasyVPN. Would a switch to VPN load-balancing also affect EasyVPN?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide