ASA 5505 licensed host limit was exceeded

Answered Question
Oct 2nd, 2007

I am receive syslog message 450001 - licensed host limit was exceeded.

From show version on my ASA 5505 (8.0.2), inside hosts are limited to 10. The limit of 10 matches the syslog error limit (10) message.

How is this number of hosts calculated? Show arp indicates 6 addresses attached to the inside interface.

I have this problem too.
0 votes
Correct Answer by Danilo Dy about 6 years 6 months ago

Hi,

Don't use "show arp", use "show local-host" instead.

Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN).

Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface

associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit.

In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host

limits.

Regards,

Dandy

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (3 ratings)
Correct Answer
Danilo Dy Wed, 10/03/2007 - 06:02

Hi,

Don't use "show arp", use "show local-host" instead.

Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN).

Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface

associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit.

In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host

limits.

Regards,

Dandy

rmeans Wed, 10/03/2007 - 06:24

Thanks, good information.

From my ASA

ciscoasa# show local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 10, towards licensed host limit of: 10

Interface outside: 36 active, 707 maximum active, 7941 denied

Interface inside: 4 active, 10 maximum active, 17720 denied

I only have two interfaces (inside and outside). How can the inside active count be 4 but the current host count be 10? Is there a timeout on the current host count? Outside of using 'clear local-host', how does the host count decrease?

rmeans Wed, 10/17/2007 - 06:21

My original problem was that I was exceeding the local host license limit (10). After a TAC case, it was determined that bug ID CSCsk49506 was causing my trouble. I removed the 'same-security-traffic permit intra-interface' command. This solved my trouble. In my research, I believe the license count is calculated with the use of two syslog messages: 609001 (Built local-host) and 609002 (Teardown local-host).

cooperben Fri, 05/24/2013 - 09:13

I also had the same issue with v8.4.6.  An upgrade to v9.1.3 solved the issue.  I also was not able to traverse the internal network after making a remote-access VPN connection using Cisco VPN Client.

I am not aware of a bug id for this issue, but moving off of v8.4.6 seemed to fix it right away.

Actions

Login or Register to take actions

This Discussion

Posted October 2, 2007 at 9:36 AM
Stats:
Replies:4 Avg. Rating:4
Views:16726 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard