Jennifer,

I just re-read your post and regarding your statement "When you limit the connections to 5 per group for example". How do you limit the group to 5 connections?

Under your group-policy, you can configure the following:

vpn-simultaneous-logins 5

That limits the group to 5 simultenous logins.

Example:

group-policy attributes
        vpn-simultaneous-logins 5

The simultaneous logins means how many of the same user "tom" can be logged in at a time correct? So with 5 that means I can login in user "tom" 5 times before the ASA rejects my login?

Or does it mean how many users total can be logged into the group at a time.

Thanks again

Simultenous logins mean how many users in total can connect in to that group.

Here are some example scenarios (with 5 simultenous login):

1) User-A can connect 3 times to the same group, plus User-B and User-C ---> Total of 5 users per group

OR/

2) User-A can connect 5 times to the same group --> Total of 5 users per group, and no other user can login to this group

OR/

3) User-A, User-B, User-C, User-D, and User-E can connect once to the same group --> Total of 5 users per group, and if user-F wants to login, this will not be successful.

Hope that helps.

Hmm alright, well that doesn't seem to be working for me right now. I set the simult at 1 just for testing and when user "A" logged in more than once it would kick one of the sessions off but when I had user "A" logged in, user "B" and user "C" was still able to login with no one being kicked off.

So I am not sure if mine isn't working right or what might be happening, I guess I will have to keep playing with it, not sure though.

OK, there is 2 places where you can configure " vpn-simultaneous-logins", ie: under group-policy and under user policy (if you are using ASA local authentication).

If you also have user attribute configured with " vpn-simultaneous-logins" to 1, it will take precedence, and group-policy " vpn-simultaneous-logins" attribute will not be checked anymore. Please make sure that you do not configure any " vpn-simultaneous-logins" under user attribute.

I did have that policy set to "1" and what you said made sense to I changed it to "5" just to put it above what the group policy is set at which is currently "1". I am still able to login three usernames at the same time with no effect of the firewall trying to boot anyone after 1 connection is made. Of course still if i try to connect user "A" twice, it will kick the older session off after the 2nd one connects.

I guess there isn't a huge need for a feature like this, but I was thinking there would be a way to do this. The method I found is to limit the IP pool but then I can't have static IP's to the users, so its a toss up that I will just have to figure out which way I will have to take.

After running some tests, I don't think its actually enforcing the group policy. I have the group policy set at 1 and user connections set to 5. I was just able to log user "A" in twice without and issues. So this might be where the group policy isn't being enforced. Which I am not sure why it wouldn't be since the user is set to that policy when I look at it.

Yes, group policy attribute will not be enforced if you have the same user policy attribute defines because user policy takes precedence

over the group policy.

That's why try to remove the user policy attributes (so it will inherit from the group-policy attribute), and just set the group policy attribute to  vpn-simultaneous-logins of 1, and try to connect multiple users (it should fail).

I get what your saying now and so I went ahead and hit "intherit" for everything under the user so it would pull all the permissions from the group policy. That makes sense and dunno why it didn't before. So now when I login user "A" twice, one of them does get kicked off. But I can still login user "A" and "B" and "C" with no issues.

The simultaneous logins to me does mean how many total, but it appears that it just means how many of the same username. Still seems fuzzy logic to me though.

I attached the group policy screen from ASDM and a user screen for examples. Can't thank you enough

Mmmm.. you've set it to 1, however, you can still connect 3 users at the same time.

OK, can you share the following info pls:

1) Output of "sh run group-policy "

2) Connect all 3 users, then please share the output of "sh vpn-sessiondb remote"

3) What is the ASA version?

1 -

group-policy XX internal

Thanks... I can see that all users connect to the same group, however, under the group policy attribute itself, I don't see any "vpn-simultaneous-logins" configuration?