cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15978
Views
10
Helpful
6
Replies

How to limit maximum SSL VPN sessions per group-policy on ASA5510?

Anton Pestov
Level 1
Level 1

How to limit maximum SSL VPN sessions per group-policy on ASA5510?

There are ideas?

There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).

2 Accepted Solutions

Accepted Solutions

Hi Anton,

This is an interesting question.

Please check the following options, depending on your scenario:

vpn-simultaneous-logins

To configure the number of simultaneous logins permitted for a user, use the vpn-simultaneous-logins command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable login and prevent user access.

vpn-simultaneous-logins {integer}

no vpn-simultaneous-logins

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1664777

There is a global command, even though may not be useful, I wanted to share it with you:

vpn-sessiondb max-session-limit

--> To specify the maximum VPN session limit.

Best option:

What you can do is to create an IP pool with 10 IP addresses in one and 15 in the other, this way you only allow 10 connections and 15 connections respectively.

ip local pool only_10 192.168.1.1-192.168.1.10

ip local pool only_15 192.168.2.1-192.168.1.15

Then,

group-policy only_10 attributes

     address-pools value only_10

!

group-policy only_20 attributes

     address-pools value only_20

View solution in original post

Exactly, however that will be possible if you use your own DHCP server

If you do not have any further questions please mark this post a answered and please rate any helpful posts.

Thanks.

Portu

View solution in original post

6 Replies 6

Hi Anton,

This is an interesting question.

Please check the following options, depending on your scenario:

vpn-simultaneous-logins

To configure the number of simultaneous logins permitted for a user, use the vpn-simultaneous-logins command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable login and prevent user access.

vpn-simultaneous-logins {integer}

no vpn-simultaneous-logins

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1664777

There is a global command, even though may not be useful, I wanted to share it with you:

vpn-sessiondb max-session-limit

--> To specify the maximum VPN session limit.

Best option:

What you can do is to create an IP pool with 10 IP addresses in one and 15 in the other, this way you only allow 10 connections and 15 connections respectively.

ip local pool only_10 192.168.1.1-192.168.1.10

ip local pool only_15 192.168.2.1-192.168.1.15

Then,

group-policy only_10 attributes

     address-pools value only_10

!

group-policy only_20 attributes

     address-pools value only_20

Hi, jportugu!

This is a good idea with simple solution! But there is one nuance, for example:

DHCP pool have 5 address for SSL VPN. If 5 users a connect to VPN (DHCP pool is full used), and then 1 of users was disconnected from VPN, and then other user will try to be connected to a network. There is a probability that he can't receive the IP address, because in DHCP binding table already there are all 5 IP address (no free address space)?

Aston,

Yes that may be a risk, so what you can do is to increase the pool to 11 addresses and add the following command:

vpn-simultaneous-logins 1

So there could be only one connection per user, and if the users needs to be able to reconnect then it may be one free IP address, after some time, the old IP address will be released and another user will be able to take it.

Another option is to assign a specific framed-ip-address, so you basically assign a specific IP for each user.

HTH.

Please rate any helpful posts

And another option: decrease dhcp lease time, for example, to 30 min. Whether at the IP updating VPN will interrupt...

Exactly, however that will be possible if you use your own DHCP server

If you do not have any further questions please mark this post a answered and please rate any helpful posts.

Thanks.

Portu

oeortiz01
Level 1
Level 1
Spoiler

I hope this help to you:

Setting Maximum Active IPsec or SSL VPN Sessions

To limit VPN sessions to a lower value than the ASA allows, enter the vpn-sessiondb command in global configuration mode:

vpn-sessiondb {max-anyconnect-premium-or-essentials-limit <number> | max-other-vpn-limit <number>}

The max-anyconnect-premium-or-essentials-limit keyword specifies the maximum number of AnyConnect sessions, from 1 to the maximum sessions allowed by the license.

The max-other-vpn-limit keyword specifies the maximum number of VPN sessions other than AnyConnect client sessions, from 1 to the maximum sessions allowed by the license. This includes the Cisco VPN client (IPsec IKEv1), Lan-to-Lan VPN, and clientless SSL VPN sessions.

This limit affects the calculated load percentage for VPN Load Balancing.

The following example shows how to set a maximum Anyconnect VPN session limit of 450:

hostname(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit 450
hostname(config)#

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_params.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: