Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

licensed host limit of 10 exceeded!?!

ASA5505 8.0(2) with standard license.

1 server

1 SSL VPN AnyConnect client

1 outside interface

Since my SSL VPN client sets the default route I thought I try to reach internet via my ASA.

"Deny traffic for protocol 6 src outside:10.200.0.10/2489 dst outside:87.248.113.14/80, licensed host limit of 10 exceeded"

10.200.0.10 being my SSL VPN client.

I understand how (outside vpn) -> (outside) NAT might be a problem but why is the license check being triggered?

Any ideas on how to get SSL VPN NAT'ed to outside?

TIA

5 REPLIES

Re: licensed host limit of 10 exceeded!?!

You would need at least to upgrade your license to brake the 10 users limitation with ASA5505-50-BUN-K9. Outbound vpn/ssl is within the 10 user license limitation How many concurrent users/connections do you have?

Reref to this link for detail information. http://www.cisco.com/en/US/products/ps6120/prod_brochure0900aecd80402e36.html

Pls rate any helpful posts !

HTH

Jorge

New Member

licensed host limit of 10 exceeded!?!

Thanks for that slick Jorge.

Cisco Employee

Re: licensed host limit of 10 exceeded!?!

Do a 'show ver' and see what your webvpn peers license is.

If you do a 'show vpn-sessiondb summary' you can see how many sessions are currently in use for sslvpn and whether that exceeds the webvpn peers line in your 'show ver'

--Jason

New Member

Re: licensed host limit of 10 exceeded!?!

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Advanced Endpoint Assessment : Disabled

This platform has a Base license.

...

Active Session Summary

Sessions:

Active : Cumulative : Peak Concurrent

SSL VPN : 1 : 22 : 2

Clientless only : 0 : 10 : 2

With client : 1 : 12 : 1

Email Proxy : 0 : 0 : 0

IPsec LAN-to-LAN : 0 : 0 : 0

IPsec Remote Access : 0 : 0 : 0

Totals : 1 : 22

License Information:

IPsec : 10 Configured : 10 Active : 0 Load : 0%

SSL VPN : 2 Configured : 2 Active : 1 Load : 50%

Total : 12 Configured : 12 Active : 1 Load : 8%

Active : Cumulative : Peak Concurrent

IPsec : 0 : 0 : 0

SSL VPN : 1 : 22 : 2

Totals : 1 : 22

Tunnels:

Active : Cumulative : Peak Concurrent

Clientless : 1 : 22 : 2

SSL-Tunnel : 1 : 14 : 1

DTLS-Tunnel : 0 : 2 : 1

Totals : 2 : 38

Active NAC Sessions:

No NAC sessions to display

Active VLAN Mapping Sessions:

No VLAN Mapping sessions to display

...

Only me, myself and I on this box so the license should be sufficient.

I get this rejection when I try to reach an IP beyond the default gw of my ASA from my AnyConnect client.

However if I try to reach something on the outside subnet it will send on the outside interface but without NAT'ing the source address( see attached capture)

Cisco Employee

Re: licensed host limit of 10 exceeded!?!

Hello,

The problem is that you have a restricted license that says only 10 users (read, 10 IP addresses with packets going to/from them at a time on the highest security level interface). It's not a VPN license issue - you'll have to get a new license if you want to reach more than 10 machines on the inside of your network.

2650
Views
4
Helpful
5
Replies
CreatePlease login to create content