ASA 5505 10 user License error

jonny7_2002 · ‎11-02-2010

We have an ASA 5505 with the Base license installed.

The ASA is at the Head Office and has 8 VPN's coming into it from various branch sites.

The local users at the head office use the ASA as the Default Gateway to get onto the internet however every now and then the internet will not work.....

I have narrowed it down to the following syslog error:

Number: 450001

Deny traffic for protocol 6 src inside:192.168.120.105/51689 dst outside:WEBSITEIP, licensed host limit of 10 exceeded

This pertains to the standard 10 user license which is determined by how many inside IP's there are in the Xlate table i believe....please correct me if i am wrong,as i am sure i am...?

Would someone be kind enough to try and help me confirm that all the licenses are in use by advising what commands to use etc.

The commands i know of are below and the output is attached.

'Show version' - Sows me that there are 10 licenses

'show xlate' - Shows the current translation table

'clear xlate' - Clears the translation table which should enable my one test PC through as long as i am quick enough!

I have included the config on the ASA with anything in Italic items that i have removed to keep the informatio private (IP's etc)

Is there any way that i can make sure one particular IP is allowed through everytime?

Is there any command that will tell me what IP addresses are using a license or how many licenses are in use out of the 10?

Thanks in advance for anyone who tried to assist.

Cheers

Jon

Federico Coto Fajardo · ‎11-02-2010

Hi,

You have the ASA 5505 accepting up to 10 VPN peers and with a Base License which means allows up to 10-user Firewall connections through the ASA at the same time.

To check the amount of inside hosts going through the ASA at any given moment use the command ''sh local-host'

You can think of the 10-user connections as 10 local-hosts connections.

Each local-host connection is a combination of IP and TCP/UDP or L4 information for each host.

You can increase the 10-user license by adding either a 50-user license or unlimited user license.

Hope it helps.

Federico.

jonny7_2002 · ‎11-02-2010

Thanks Federico, ill try that the next time it plays up and see how many local hosts there are....

Thanks

Jon

jonny7_2002 · ‎11-04-2010

The problem outlined above is definetly the 10 user license. The problem has occurred this morning and the Show Local-Host confirms the 10 license has been hit.

However.... i have been trying to interpret the output of the Sh local-host command so i can see what connections/IP's are using a license? could anyone assist in this and may point me in the right direction?

I have attached the output with the publi ip's replaced with the word and would just like to know which 10 connections are using a license?

Again, any help would be much apreciated

Regards

Jon

Federico Coto Fajardo · ‎11-04-2010

You can think of a local-host as a combination of layer 3 and layer 4 information where the ASA keeps track of source/destination IP, source/destination ports and protocol used to identify a flow.

In the output you have translations and connections.

Translations are represented in the ASA by XLATEs (layer 3 information)

Connections are represented in the ASA by CONNs (layer 4 information)

Translations represent IP NAT

Connections represent TCP/UDP information.

You can have many connections in a single XLATE, but you cannot have connections without translations (if using NAT).

Federico.

mangesh.shukla · ‎07-30-2015

can anyone tell me how can I increase the license from 10 user to 50 users?

which service sku/Product SKU to be used?