how the ASA License applied

Unanswered Question
Jul 7th, 2010

If you have an ASA with 10 host licenses, and that ASA is a spoke in a lan-to-lan VPN, how do hosts that are talking across the VPN count?  I know that NAT hosts that want to go to the internet count as a host, and the 11th host will get denied , but not in a very clear way (the connection just kind of hangs as if it can’t find it or that website is down).  If a PC on the inside connects to a resource on the other side of the VPN, does that count as a host license as well, or is that different?

I have a 10 user ASA 5505 that has 16 devices behind at (as shown by DHCPD bindings), 7 of which are IP phones that MOST OF THE TIME only talk to the local voice server.  However they sometimes get denied talking across the VPN  to other devices, and clearing the VPN and re-establishing the VPN (clear cry isa sa) will usually fix this.

Licensed features for this platform:

Maximum Physical Interfaces    : 8

VLANs                          : 3, DMZ Restricted

Inside Hosts                   : 10

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 10

Dual ISPs                      : Disabled

VLAN Trunk Ports               : 0

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has a Base license.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 07/07/2010 - 13:02

Based on the license specs   I understand  that  any host destined to talk to the internet VLAN which is your outside interface where  VPN tunnel terminates,   host limitation counts  in  the 10 user base license.  You can issue on the firewall show local-host     that will show per host tcp/udp connection counts . You may also use show conn

See small print (1)  bellow  table A-1

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.html#wpxref1150575

Regards

Actions

This Discussion