licensed host limit of 10 exceeded!?!

Unanswered Question
Nov 23rd, 2007

ASA5505 8.0(2) with standard license.

1 server

1 SSL VPN AnyConnect client

1 outside interface

Since my SSL VPN client sets the default route I thought I try to reach internet via my ASA.

"Deny traffic for protocol 6 src outside:10.200.0.10/2489 dst outside:87.248.113.14/80, licensed host limit of 10 exceeded"

10.200.0.10 being my SSL VPN client.

I understand how (outside vpn) -> (outside) NAT might be a problem but why is the license check being triggered?

Any ideas on how to get SSL VPN NAT'ed to outside?

TIA

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jason Gervia Mon, 12/03/2007 - 14:18

Do a 'show ver' and see what your webvpn peers license is.

If you do a 'show vpn-sessiondb summary' you can see how many sessions are currently in use for sslvpn and whether that exceeds the webvpn peers line in your 'show ver'

--Jason

etxsthl100761 Tue, 12/04/2007 - 03:42

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Advanced Endpoint Assessment : Disabled

This platform has a Base license.

...

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent

SSL VPN : 1 : 22 : 2

Clientless only : 0 : 10 : 2

With client : 1 : 12 : 1

Email Proxy : 0 : 0 : 0

IPsec LAN-to-LAN : 0 : 0 : 0

IPsec Remote Access : 0 : 0 : 0

Totals : 1 : 22

License Information:

IPsec : 10 Configured : 10 Active : 0 Load : 0%

SSL VPN : 2 Configured : 2 Active : 1 Load : 50%

Total : 12 Configured : 12 Active : 1 Load : 8%

Active : Cumulative : Peak Concurrent

IPsec : 0 : 0 : 0

SSL VPN : 1 : 22 : 2

Totals : 1 : 22

Tunnels:

Active : Cumulative : Peak Concurrent

Clientless : 1 : 22 : 2

SSL-Tunnel : 1 : 14 : 1

DTLS-Tunnel : 0 : 2 : 1

Totals : 2 : 38

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

...

Only me, myself and I on this box so the license should be sufficient.

I get this rejection when I try to reach an IP beyond the default gw of my ASA from my AnyConnect client.

However if I try to reach something on the outside subnet it will send on the outside interface but without NAT'ing the source address( see attached capture)

Jason Gervia Mon, 12/10/2007 - 11:34

Hello,

The problem is that you have a restricted license that says only 10 users (read, 10 IP addresses with packets going to/from them at a time on the highest security level interface). It's not a VPN license issue - you'll have to get a new license if you want to reach more than 10 machines on the inside of your network.

Actions

This Discussion