cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
600
Views
0
Helpful
4
Replies

ASA VPN ignoring licenses

Hal Sclater
Level 1
Level 1

Hi there

We moved to AnyConnect a few months ago, and purchased the Premium license. It was working fine up to 25 users, but now suddenly is only allowing 2 users. The error is: session limit of 2 reached. This is like it has no license installed.

Here are the details of the firewall including license, can anyone tell me what the problem is? 

Cisco Adaptive Security Appliance Software Version 9.2(3)3
Device Manager Version 7.4(2)

Compiled on Thu 12-Feb-15 14:40 by builders
System image file is "disk0:/asa923-3-k8.bin"
Config file at boot was "startup-config"

BeresfordASA5505 up 20 hours 25 mins

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1

0: Int: Internal-Data0/0 : address is 6c20.5688.ba03, irq 11
1: Ext: Ethernet0/0 : address is 6c20.5688.b9fb, irq 255
2: Ext: Ethernet0/1 : address is 6c20.5688.b9fc, irq 255
3: Ext: Ethernet0/2 : address is 6c20.5688.b9fd, irq 255
4: Ext: Ethernet0/3 : address is 6c20.5688.b9fe, irq 255
5: Ext: Ethernet0/4 : address is 6c20.5688.b9ff, irq 255
6: Ext: Ethernet0/5 : address is 6c20.5688.ba00, irq 255
7: Ext: Ethernet0/6 : address is 6c20.5688.ba01, irq 255
8: Ext: Ethernet0/7 : address is 6c20.5688.ba02, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

Serial Number: (removed)
Running Permanent Activation Key: 0x9915cf62 (removed)
Configuration register is 0x1
Configuration has not been modified since last system restart.

4 Replies 4

Kevin_W
Level 1
Level 1

Hi Hal Sclater,

did you make a failover with your asa (when you have two asa's configured in a failover-pair)?
Or did you install the AnyConnect licenses only on the secondary asa?



Best regards

Hi

No, we only have one.

Does anything look wrong with the license? We should be licensed for 25 Anyconnect users right? We are trying to raise a TAC call but there is an issue with the service contract we are trying to sort.

Thanks

Hello Hal 

I don't see a problem with the license I see "AnyConnect Premium Peers : 25 perpetual"

Follow JP's recommendation is a big possibility that there is a limit set even if you still have the 25 users license 

you can check it by running the command "sh vpn-sessiondb license-summary"

if there is currently a limit set you will see it listed 

---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
                                      Status :    Capacity : Installed :          Limit
-----------------------------------------
AnyConnect Premium : ENABLED :    750 :         2 :              NONE
AnyConnect Essentials : DISABLED : 750 :         0 :               NONE
Other VPN (Available by Default) : ENABLED : 750 : 750 :    NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : DISABLED(Requires Premium)
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
AnyConnect for Cisco VPN Phone : DISABLED
---------------------------------------------------------------------------

Under limit it should say NONE if you have 2 then that's the problem you can set the limit of 25 with the command suggested before "vpn-sessiondb max-anyconnect-premium-or-essentials-limit 25"

Regards,

JP Miranda Z
Cisco Employee
Cisco Employee

Hi Hal Sclater,

There is a default command on the asa that restricts or creates a limit of vpn-sessions, please use the following command and let me know if you are still having issues with this:

#config t

#vpn-sessiondb max-anyconnect-premium-or-essentials-limit 25

-JP-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: