Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

Hi all,

I got an ASA5520 with a CSC-SSM-10 (100 nodes) in use. There are about 200 host behind.

What happen, when the node license will be overrun. E.g. all 200 hosts are connecting through the firewall/contentfilter

at the same time?

Thanks,

Norbert

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

You can issue "sh csc node-count" on the ASA CLI.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s2.html#wp1362072

License upgrade notice Error Message license-upgrade-notice: Your daily node counts (daily_count) has
exceeded your licensed seats (seats) by offset. Please upgrade your license.
Example:
License-upgrade-notice: Your daily node counts (300) has exceeded your licensed seats (100) by 200. Please upgrade your license.
Explanation    This system log message is generated when CSC SSM detects more nodes connected to the CSC SSM than are specified in the current license. In addition to this message, a notification e-mail is sent to the administrator.
•    daily_count—The daily node count that has connected to the CSC SSM •    seats—The number of seats of the CSC SSM license •    offset—The daily count minus the number of seats
Recommended Action    Contact Cisco for a license upgrade.

You can read the above in the csc module admin guide here: http://www.cisco.com/en/US/docs/security/csc/csc62/administration/guide/cscbook.pdf

-KS

5 REPLIES
Cisco Employee

Re: Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

You can issue "sh csc node-count" on the ASA CLI.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s2.html#wp1362072

License upgrade notice Error Message license-upgrade-notice: Your daily node counts (daily_count) has
exceeded your licensed seats (seats) by offset. Please upgrade your license.
Example:
License-upgrade-notice: Your daily node counts (300) has exceeded your licensed seats (100) by 200. Please upgrade your license.
Explanation    This system log message is generated when CSC SSM detects more nodes connected to the CSC SSM than are specified in the current license. In addition to this message, a notification e-mail is sent to the administrator.
•    daily_count—The daily node count that has connected to the CSC SSM •    seats—The number of seats of the CSC SSM license •    offset—The daily count minus the number of seats
Recommended Action    Contact Cisco for a license upgrade.

You can read the above in the csc module admin guide here: http://www.cisco.com/en/US/docs/security/csc/csc62/administration/guide/cscbook.pdf

-KS

Community Member

Re: Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

Those are concurrent license, aren't they?

Cisco Employee

Re: Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

sh csc node-count - That is a dialy node count over a 24 hour period.

daily_count—The daily node count that has connected to the CSC SSM •

Check the CSC module sizing guide for concurrent connection limits:

http://cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.html

-KS

Community Member

Re: Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

Hello,

What will happens with traffic from nodes that are overrun allowed license.

Will this traffic blocked, or just it will not be scaned by CSC module?

Thank you in advance.

with best regards,

D

Community Member

Overrun nodes license CSC-SSM-10 (100 nodes) ASA5520

Even after the license violation the traffic for all the users will be scanned by the module.

Despite the error message that you are seeing, the CSC will not drop connections due strictly to license violations. It is only a warning at this point. With a high number of nodes, it is likely that you are overwhelming the CSC processing capacity. If the users are overly aggressive in their connections, they can easily max out the capacity.

For the CSC SSM user license, 1 user = 1 IP address. The IP is counted by the ASA itself, not by the CSC.

Puneet

1812
Views
5
Helpful
5
Replies
CreatePlease to create content