Deny traffic for protocol 17 src inside:192.168.3.18/5077 dst outside:220.127.116.11/5090, licensed host limit of 10 exceeded.
Can anyone give me some hints how my ASA5505 suddenly starts to deny traffic due to "licensed host limit of 10 exceeded"?
I have a small branch office where the ASA5505 connects to a 6 VOIP phones and about 6 computers, 1 network printer, and 1 wireless router extension access point. It never had the error message before. A few days ago, a staff inadvertently unplugged a CAT5 cable and may have switched around some more cables. I have a feeling I got this problem because of using the wrong ports? We only have one subnet 192.168.3.1/24, ASA to ASA VPN, and some devices on a static IP address, i.e. 192.168.3.99. Thanks for any help!
Wrong community forum for such kind of question. This forum is dedicated to discussion about Cisco Support Community itself.
Delete thread here and create discussion in more appropriate forum. Your chance to receive valuable reply will be much higher.
But there is 253 IP addresses within 192.168.3.1/24 subnet. If a device is using more than one address (for example because it's infected by some kind of DoS virus) the limit of 10 can be exceeded easily. Also broken network topology (you mentioned cable's puzzle) may cause it.
But I'm no expert for ASA5505 - ask experts in related forum.
[ 6.11.2014 ] thread has been moved to more appropriate forum, so "wrong forum" notices are no longer meaningful
So it seems you have a Base License ASA5505 unit. This allows 10 unique hosts behind the internal interface.
You can check the licensed limits on your ASA with the following command
From your original post it seems you have the LAN network directly connected to your ASA (meaning that you have no router between the users and the ASA). Considering this you should see all the internal hosts on your network on the ASA with the following command
This shows the ARP table which includes the IP/MAC pairs of the hosts behind the ASA (that have had any traffic forward to them or from them atleast).
By your above description you already have over 10 devices that you need in your network. I mean for example the 6 PCs and 6 VOIP Phones and if all of these connect to the external network at the same time some of them are bound to get blocked as you are going over the supported 10 user limit.
If there has not been any problems so far with this amount of devices then it almost seems that many of the devices have not been use at the same time or perhaps as you say you have some internal wireless router it might be possible that some devices have been connected to this wireless router and the wireless router has done NAT for these devices behind which would make them visible from single IP address towards the ASA and therefore the ASA would have not reached the 10 client/user limit behind it. Perhaps you have some internal switch that was previously connected to the wireless router and its now connected directly to the ASA or somehow past the wireless router.
So I would suggest that you start by checking how many devices are visible on your ASA at the moment with the "show arp" command. I would then suggest that you check the configurations of the wireless router. Does it have any NAT configuration that would mean if you connected a host behind it that it would be NATed when connection towards the ASA/external network? As I said before, you are already going past the licensed ASA host limit with the PCs/Phones so your quick fix for the situation to my understanding would be to have some device behind the ASA (on the internal network) to perform NAT for the devices so they would be visible from a single IP address to the ASA and therefore not cause the licensed limit to be reached. Perhaps it might be possible to connect the either the PCs or phones behind a device doing NAT? Not really an ideal solution but rather a quick temporary fix.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...