Cisco ASA 5505 License

dharmendra2shah · ‎09-24-2010

All,

We have bought a Cisco ASA 5505 firewall with base license. We are confused about the base license provide for 10 users. I am trying to understand what method Cisco uses to calculate license:

For example there are 3 hosts connected to the inside network of ASA currently: Output below:

Result of the command: "show arp"

inside 130.47.22.3 0012.3f3a.4524 140

inside 130.47.22.6 001e.3732.4fac 438

inside 130.47.22.9 0021.861e.c1b6 465

outside 24.240.94.1 001b.54cb.bed9 2

and non of users are authenticated:

Result of the command: "show uauth"

Current Most Seen

Authenticated Users 0 6

Authen In Progress 0 64

But when we do show local-host we find out that 6 license are already used.

Result of the command: "show local-host"

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.

Current host count: 6, towards licensed host limit of: 10

Interface outside: 5 active, 33 maximum active, 0 denied

Interface inside: 6 active, 8 maximum active, 0 denied

Interface _internal_loopback: 0 active, 2 maximum active, 0 denied

Can you please explain what method Cisco uses to count the number of license?

praprama · ‎09-24-2010

Hi,

What we see in "show local-host" gives the exact picture of what is used to calculate number of inside users. Hope this calrifies it.

Regards,

Prapanch

dharmendra2shah · ‎09-24-2010

Prapanch,

I am interested in knowing the method calculation. On what basis it concludes that 6 licenses are already in use where as only 3 hosts are connected?

Dharmendra

praprama · ‎09-24-2010

Hi,

What do you notice in the output of "show local-host". You should see IP addresses of all 6 inside users that the firewall sees.

Regards,

Prapanch

dharmendra2shah · ‎09-24-2010

Note: I have changed ip addresses for security reasons:

Here is the output of show local-host detail. It is not making sense to me. It says 6 active connections on inside interface where as I only see 1 udp connection.

Result of the command: "show local-host detail"

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
Current host count: 6, towards licensed host limit of: 10

Interface outside: 5 active, 33 maximum active, 0 denied
local host: <172.16.50.80>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

Conn:
UDP outside:172.16.50.80/53 inside:172.16.22.9/53114,
flags -, idle 54s, uptime 54s, timeout 2m0s, bytes 0

Interface inside: 6 active, 8 maximum active, 0 denied
local host: <172.16.22.9>,
    TCP flow count/limit = 0/unlimited
    TCP embryonic count to host = 0
    TCP intercept watermark = unlimited
    UDP flow count/limit = 1/unlimited

Conn:
UDP outside:172.16.50.80/53 inside:172.16.22.9/53114,
flags -, idle 54s, uptime 54s, timeout 2m0s, bytes 0
Interface _internal_loopback: 0 active, 2 maximum active, 0 denied

Jennifer Halim · ‎09-24-2010

Hi Dharmendra,

Please ignore my previous post as the behaviour seems to have changed.

Here is the correct behaviour as per syslog# 407001:

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html#wp4773013

Hope that helps.

dharmendra2shah · ‎09-27-2010

Thanks Jennifer, do you know if Cisco have documented this fact anywhere in their support document pages? If you have the url it will be very helpful.

Thanks, Dharmendra