Apologies if this is a simple question I'm new to Cisco tech. The basic situation is that I have 3 remote workers all wishing to connect to the VPN (using AnyConnect) but only one connection is allowed by the ASA5500 at anytime...all other connections drop as soon as a new one is established? Is this by design and the ASA blocks any concurrent SSL VPN connections from the same external IP or is this something I've unknowingly setup myself when creating the AnyConnect Connection Profile?
Help/advice much appreicated.
Is your ASA licensed to do SSL VPN? A default ASA is only licensed for 2 SSL VPN sessions at a time.
Sent from Cisco Technical Support iPhone App
I agree with Bart that it sounds like it is an issue with the licensing for SSL VPN (which is AnyConnect).
If Tom is quite new to Cisco tech he may not be sure where to find the answer to Bart's question. If Tom will execute the command show version on the ASA and then post the output it will include what we need to see.
By default, the ASA comes with two Premium peers.
This allows you to have upto two simultaneous SSL VPN connections (WebVPN or AnyConnect) at any time.
Please share the "show version" (remove any confidential informacion like the serial number, hostname and activation-key) just include the licensing information.
We may be able to give you a better feedback based on that output.
Thanks for the speedy reply:
Result of the command: "show version"
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 50
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Thanks for posting the additional information. It shows very clearly that the problem is not an issue about licensing and that you are licensed for 50 concurrent SSL/AnyConnect sessions. So we need to look for some other issue. Perhaps you can post a sanitized version of the configuration?
Please follow Richard's suggestion.
Any related error (client or ASA side)?
Does this happen to any connection profile?
No error displayed on either the client or ASA just Person A's connection drops when person B connects...just to clarify this only affects clients connecting from the same external IP
Here is the config which I hope I've not stripped to "clean" as I said I new to cisco and mostly use the ASDM to do any config:
Result of the command: "show run"
ASA Version 8.2(2)
ip local pool VPNPool 192.168.40.10-192.168.40.90 mask 255.255.255.0
ip verify reverse-path interface External
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map External_dyn_map 65535 set pfs group1
crypto dynamic-map External_dyn_map 65535 set transform-set TRANS_ESP_3DES_SHA
ssh timeout 5
console timeout 0
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint5 External
csd image disk0:/securedesktop-asa-18.104.22.168-k9.pkg
svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
group-lock value DefaultRAGroup
group-policy DfltGrpPolicy attributes
vpn-filter value SplitTunnel
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
svc ask none default webvpn
group-policy VPN-Clientless internal
group-policy VPN-Clientless attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol svc webvpn
group-lock value VPN-Clientless
split-tunnel-network-list value SplitTunnel
default-domain value local.com
url-list value WebMail
svc dtls enable
svc keep-installer installed
svc compression deflate
svc ask enable default webvpn
customization value local
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
tunnel-group DefaultWEBVPNGroup general-attributes
tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group VPN-Clientless type remote-access
tunnel-group VPN-Clientless general-attributes
tunnel-group VPN-Clientless webvpn-attributes
group-alias Remote enable
inspect h323 h225
inspect h323 ras
inspect dns DNS_MAP_PC
Hi, just wondering if anyone has had a chance to look over the config?
Sent from Cisco Technical Support Android App
I have looked at the config and do not see anything in it that would cause the symptoms that you describe.
Your clarification of the symptoms was helpful. I had been working under the impression that the problem impacted all user sessions and restricted the total number of sessions. It is helpful to know that the problem is actually only in the situation where there are multiple users at the same site and that the existing session is dropped wen a different user initiates a new session. My theory is that the ASA sees a session with the existing user and when a new request is received with the same source address that it assumes that the remote has restarted the client and is requesting a new session. I wonder if there is anything in the logs of the ASA when this happens that could confirm what is happening?
Thank you for the response, I'll endeavour to duplicate the issue and check the logs to see if anything is being logged that can shed some light on whats going on.
The second thing to try would be newer ASA code. We're up to version 9.1.x. Either 9.0.x or 9.1.x (latest patch) would be a much better choice. There's always the chance you're hitting some very odd bug in a version of ASA code, but this one isn't ringing a bell.
Are you really using AnyConnect version 2.2? (This version is many years old). If so, first step would be to go to the latest 3.1 version (3.1.04072). Please send us your logs at email@example.com from the ASA immediately after the drop (we may need to turn on additional debugs if there's nothing in there). The ASA should not have a problem with multiple connections from a single IP, however, some NAT (PAT) devices do not do a very good job in this scenario and end up reusing the same source port which could result in this behavior. I haven't seen this in a very long time, it used to plague a lot of old home PAT devices, especially with IPsec.