Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1028
Views
0
Helpful
3
Replies

ASA5505 licensed host limit of 10 exceeded

louisrbli1
Level 1
Level 1

‎10-17-2014 11:59 AM - edited ‎03-11-2019 09:57 PM

4

Oct 17 201408:25:02450001199.255.120.168 Deny traffic for protocol 17 src inside:192.168.3.18/5077 dst outside:199.255.120.168/5090, licensed host limit of 10 exceeded.

 

Can anyone give me some hints how my ASA5505 suddenly starts to deny traffic due to "licensed host limit of 10 exceeded"?

I have a small branch office where the ASA5505 connects to a 6 VOIP phones and about 6 computers, 1 network printer,  and 1 wireless router extension access point. It never had the error message before. A few days ago, a staff inadvertently unplugged a CAT5 cable and may have switched around some more cables. I have a feeling I got this problem because of using the wrong ports? We only have one subnet 192.168.3.1/24, ASA to ASA VPN, and some devices on a static IP address, i.e. 192.168.3.99. Thanks for any help!

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Dan Lukes
VIP Alumni
VIP Alumni

‎10-17-2014 01:03 PM

Wrong community forum for such kind of question. This forum is dedicated to discussion about Cisco Support Community itself.

Delete thread here and create discussion in more appropriate forum. Your chance to receive valuable reply  will be much higher.

But there is 253 IP addresses within 192.168.3.1/24 subnet. If a device is using more than one address (for example because it's infected by some kind of DoS virus) the limit of 10 can be exceeded easily. Also broken network topology (you mentioned cable's puzzle) may cause it.

 

But I'm no expert for ASA5505 - ask experts in related forum.

[ 6.11.2014 ] thread has been moved to more appropriate forum, so "wrong forum" notices are no longer meaningful

0 Helpful

louisrbli1
Level 1
Level 1
In response to Dan Lukes

‎10-17-2014 01:03 PM

Many thanks, Dan. I am enrolling a Cisco support contract as I typed but desperate for a solution. Obviously I am a newbie here...Thanks for your pointers so far.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to louisrbli1

‎11-06-2014 12:00 AM

Hi,

 

So it seems you have a Base License ASA5505 unit. This allows 10 unique hosts behind the internal interface.

 

You can check the licensed limits on your ASA with the following command

 

show version

 

From your original post it seems you have the LAN network directly connected to your ASA (meaning that you have no router between the users and the ASA). Considering this you should see all the internal hosts on your network on the ASA with the following command

 

show arp

 

This shows the ARP table which includes the IP/MAC pairs of the hosts behind the ASA (that have had any traffic forward to them or from them atleast).

 

By your above description you already have over 10 devices that you need in your network. I mean for example the 6 PCs and 6 VOIP Phones and if all of these connect to the external network at the same time some of them are bound to get blocked as you are going over the supported 10 user limit.

 

If there has not been any problems so far with this amount of devices then it almost seems that many of the devices have not been use at the same time or perhaps as you say you have some internal wireless router it might be possible that some devices have been connected to this wireless router and the wireless router has done NAT for these devices behind which would make them visible from single IP address towards the ASA and therefore the ASA would have not reached the 10 client/user limit behind it. Perhaps you have some internal switch that was previously connected to the wireless router and its now connected directly to the ASA or somehow past the wireless router.

 

So I would suggest that you start by checking how many devices are visible on your ASA at the moment with the "show arp" command. I would then suggest that you check the configurations of the wireless router. Does it have any NAT configuration that would mean if you connected a host behind it that it would be NATed when connection towards the ASA/external network? As I said before, you are already going past the licensed ASA host limit with the PCs/Phones so your quick fix for the situation to my understanding would be to have some device behind the ASA (on the internal network) to perform NAT for the devices so they would be visible from a single IP address to the ASA and therefore not cause the licensed limit to be reached. Perhaps it might be possible to connect the either the PCs or phones behind a device doing NAT? Not really an ideal solution but rather a quick temporary fix.

 

Hope I made any sense :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card