02-06-2010 09:24 AM
Hi Guys,
We have an ASA5505 connected via Site-to-Site VPN, problem is the tunnel is disconnected at random time (intermittent), we have check the privacy settings (edes-sha1.. etc) for both sides and all are Ok.
Except for the logs that showed up in ASA and I think this might be the problem.
LAN -- Cisco ASA550 <-- internet --> Cisco ASA5505 -- LAN (Switch with 24 hosts) *here where the logs showed up
4|Feb 03 2010 20:44:49|450001: Deny traffic for protocol 1 src outside:192.168.1.1/28629 dst inside:192.168.100.1/0, licensed host limit of 10 exceeded.
ASA5505# sh activation-key
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has a Base license.
The flash activation key is the SAME as the running key.
Do we have any solution for that? Thanks in advance and more power!
regards,
Gagamboy
Solved! Go to Solution.
02-06-2010 06:01 PM
You have Base license (10 user license limitation) which means 10 concurrent connection can travers the firewall between inside and outside, you can see concurrent connections count by issuing show local-host at command line .
Depending on your budget you have three other choices to expand this limitation , use ASA5505-50-BUN-K9 license allows for 50 user licence but you ill be in the same spot if going over 50 concurrent connections from inside to outside no DMZ support no Dual ISP support , or use ASA5505-UL-BUN-K9 .. allows unlimited users no DMZ no dual ISP support.. and lastly ASA5505-SEC-BUN-K9 security plus licence.. unlimited users , with DMZ support etc.. I suggest you use Security Plus license to have unlimited in addition to access all other features that previous license don't have.
License specs
http://www.cisco.com/en/US/docs/security/asa/asa80/license/license80.html#wp86066
License specs and part numbers
Regards
02-06-2010 06:01 PM
You have Base license (10 user license limitation) which means 10 concurrent connection can travers the firewall between inside and outside, you can see concurrent connections count by issuing show local-host at command line .
Depending on your budget you have three other choices to expand this limitation , use ASA5505-50-BUN-K9 license allows for 50 user licence but you ill be in the same spot if going over 50 concurrent connections from inside to outside no DMZ support no Dual ISP support , or use ASA5505-UL-BUN-K9 .. allows unlimited users no DMZ no dual ISP support.. and lastly ASA5505-SEC-BUN-K9 security plus licence.. unlimited users , with DMZ support etc.. I suggest you use Security Plus license to have unlimited in addition to access all other features that previous license don't have.
License specs
http://www.cisco.com/en/US/docs/security/asa/asa80/license/license80.html#wp86066
License specs and part numbers
Regards
02-08-2010 06:43 AM
Great! Thanks a lot for the info. Now, I know the solution for this problem.
02-19-2010 06:15 AM
Actually, adding the Security Plus license to a base ASA55505-BUN-K9 does NOT increase the concurrent user count. We own a few of the base units that we use at employee homes. We are hitting the "10-user" limit (which is apparently a very misleading name) and we wanted to enable trunking so we could attach a WAP running with a separate VLAN/SSID for our WiFi phones. We purchased and installed a Security Plus license upgrade on one of them. It did eliminate the trunking/DMZ restrictions and raised the number of allowed VPN connections, but the concurrent user limit is still 10 users.
Apparently, you also need to purchase the UL license upgrade to raise the actual user count. The product description for the Sec Plus upgrade (ASA5505-SEC-PL) is very misleading in some places. I did find this official(?) description on one site:
Cisco ASA 5505 Security Plus license (provides stateless Active/Standby high availability, dual ISP support, DMZ support, VLAN trunking support, and increased session and IPSec VPN peer capacities)
The license products to upgrade the user count are: ASA5505-SW-10-50= or L-ASA5505-10-UL=. Actually, when I ordered the SEC PLUS upgrade, Ingram said I had to order the non-spare part (without the "=" at the end) which cost more than the "spare" (with the "=").
-dpm
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide