cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4393
Views
4
Helpful
5
Replies

licensed host limit of 10 exceeded!?!

etxsthl100761
Level 1
Level 1

ASA5505 8.0(2) with standard license.

1 server

1 SSL VPN AnyConnect client

1 outside interface

Since my SSL VPN client sets the default route I thought I try to reach internet via my ASA.

"Deny traffic for protocol 6 src outside:10.200.0.10/2489 dst outside:87.248.113.14/80, licensed host limit of 10 exceeded"

10.200.0.10 being my SSL VPN client.

I understand how (outside vpn) -> (outside) NAT might be a problem but why is the license check being triggered?

Any ideas on how to get SSL VPN NAT'ed to outside?

TIA

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

You would need at least to upgrade your license to brake the 10 users limitation with ASA5505-50-BUN-K9. Outbound vpn/ssl is within the 10 user license limitation How many concurrent users/connections do you have?

Reref to this link for detail information. http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html

Pls rate any helpful posts !

HTH

Jorge

Jorge Rodriguez

Thanks for that slick Jorge.

Jason Gervia
Cisco Employee
Cisco Employee

Do a 'show ver' and see what your webvpn peers license is.

If you do a 'show vpn-sessiondb summary' you can see how many sessions are currently in use for sslvpn and whether that exceeds the webvpn peers line in your 'show ver'

--Jason

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Advanced Endpoint Assessment : Disabled

This platform has a Base license.

...

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent

SSL VPN : 1 : 22 : 2

Clientless only : 0 : 10 : 2

With client : 1 : 12 : 1

Email Proxy : 0 : 0 : 0

IPsec LAN-to-LAN : 0 : 0 : 0

IPsec Remote Access : 0 : 0 : 0

Totals : 1 : 22

License Information:

IPsec : 10 Configured : 10 Active : 0 Load : 0%

SSL VPN : 2 Configured : 2 Active : 1 Load : 50%

Total : 12 Configured : 12 Active : 1 Load : 8%

Active : Cumulative : Peak Concurrent

IPsec : 0 : 0 : 0

SSL VPN : 1 : 22 : 2

Totals : 1 : 22

Tunnels:

Active : Cumulative : Peak Concurrent

Clientless : 1 : 22 : 2

SSL-Tunnel : 1 : 14 : 1

DTLS-Tunnel : 0 : 2 : 1

Totals : 2 : 38

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

...

Only me, myself and I on this box so the license should be sufficient.

I get this rejection when I try to reach an IP beyond the default gw of my ASA from my AnyConnect client.

However if I try to reach something on the outside subnet it will send on the outside interface but without NAT'ing the source address( see attached capture)

Hello,

The problem is that you have a restricted license that says only 10 users (read, 10 IP addresses with packets going to/from them at a time on the highest security level interface). It's not a VPN license issue - you'll have to get a new license if you want to reach more than 10 machines on the inside of your network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: