cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36008
Views
12
Helpful
5
Replies

ASA 5505 licensed host limit was exceeded

rmeans
Level 3
Level 3

I am receive syslog message 450001 - licensed host limit was exceeded.

From show version on my ASA 5505 (8.0.2), inside hosts are limited to 10. The limit of 10 matches the syslog error limit (10) message.

How is this number of hosts calculated? Show arp indicates 6 addresses attached to the inside interface.

1 Accepted Solution

Accepted Solutions

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

Don't use "show arp", use "show local-host" instead.

Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN).

Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface

associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit.

In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host

limits.

Regards,

Dandy

View solution in original post

5 Replies 5

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

Don't use "show arp", use "show local-host" instead.

Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN).

Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface

associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit.

In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host

limits.

Regards,

Dandy

Thanks, good information.

From my ASA

ciscoasa# show local-host

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 10, towards licensed host limit of: 10

Interface outside: 36 active, 707 maximum active, 7941 denied

Interface inside: 4 active, 10 maximum active, 17720 denied

I only have two interfaces (inside and outside). How can the inside active count be 4 but the current host count be 10? Is there a timeout on the current host count? Outside of using 'clear local-host', how does the host count decrease?

My original problem was that I was exceeding the local host license limit (10). After a TAC case, it was determined that bug ID CSCsk49506 was causing my trouble. I removed the 'same-security-traffic permit intra-interface' command. This solved my trouble. In my research, I believe the license count is calculated with the use of two syslog messages: 609001 (Built local-host) and 609002 (Teardown local-host).

I also had the same issue with v8.4.6.  An upgrade to v9.1.3 solved the issue.  I also was not able to traverse the internal network after making a remote-access VPN connection using Cisco VPN Client.

I am not aware of a bug id for this issue, but moving off of v8.4.6 seemed to fix it right away.

we also just had the same issue with v8.4.6  after the ASA rebooted (although it worked with it before) and indeed upgrade to v9.1.7 solved the issue in our case

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: