Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting amount of users on IPSec VPN

I have a Cisco ASA 5510 running an IPSec VPN. My example is I have a group policy with 10 users on it, all assigned static IP's. Of those 10 users, I only want to have a max of 5 logged in at any one time. Simultaneous connections won't work because thats is only how many times a single username can be logged in (that I know of) and I can't limit the IP address pool of that group because I need 10 static IP's and if I limited the pool to 5, well that wouldn't work.

So is there anyway to limit the amount of VPN users per group policy or tunnel or what have you? I don't want to limit the ammout of VPN connections on the entire appliance since I will have other groups as well that will be connecting.

Thanks for any help.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Restricting amount of users on IPSec VPN

You are absolutely right. There is no way to limit the number of unique simultenous VPN connections per group.When you limit the connections to 5 per group for example, it doesn't check if one user has been connecting 3 times simultenously.

16 REPLIES
Cisco Employee

Re: Restricting amount of users on IPSec VPN

You are absolutely right. There is no way to limit the number of unique simultenous VPN connections per group.When you limit the connections to 5 per group for example, it doesn't check if one user has been connecting 3 times simultenously.

New Member

Re: Restricting amount of users on IPSec VPN

Jennifer,

I just re-read your post and regarding your statement "When you limit the connections to 5 per group for example". How do you limit the group to 5 connections?

Cisco Employee

Re: Restricting amount of users on IPSec VPN

Under your group-policy, you can configure the following:

vpn-simultaneous-logins 5

That limits the group to 5 simultenous logins.

Example:

group-policy attributes
        vpn-simultaneous-logins 5

New Member

Re: Restricting amount of users on IPSec VPN

The simultaneous logins means how many of the same user "tom" can be logged in at a time correct? So with 5 that means I can login in user "tom" 5 times before the ASA rejects my login?

Or does it mean how many users total can be logged into the group at a time.

Thanks again

Cisco Employee

Re: Restricting amount of users on IPSec VPN

Simultenous logins mean how many users in total can connect in to that group.

Here are some example scenarios (with 5 simultenous login):

1) User-A can connect 3 times to the same group, plus User-B and User-C ---> Total of 5 users per group

OR/

2) User-A can connect 5 times to the same group --> Total of 5 users per group, and no other user can login to this group

OR/

3) User-A, User-B, User-C, User-D, and User-E can connect once to the same group --> Total of 5 users per group, and if user-F wants to login, this will not be successful.

Hope that helps.

New Member

Re: Restricting amount of users on IPSec VPN

Hmm alright, well that doesn't seem to be working for me right now. I set the simult at 1 just for testing and when user "A" logged in more than once it would kick one of the sessions off but when I had user "A" logged in, user "B" and user "C" was still able to login with no one being kicked off.

So I am not sure if mine isn't working right or what might be happening, I guess I will have to keep playing with it, not sure though.

Cisco Employee

Re: Restricting amount of users on IPSec VPN

OK, there is 2 places where you can configure " vpn-simultaneous-logins", ie: under group-policy and under user policy (if you are using ASA local authentication).

If you also have user attribute configured with " vpn-simultaneous-logins" to 1, it will take precedence, and group-policy " vpn-simultaneous-logins" attribute will not be checked anymore. Please make sure that you do not configure any " vpn-simultaneous-logins" under user attribute.

New Member

Re: Restricting amount of users on IPSec VPN

I did have that policy set to "1" and what you said made sense to I changed it to "5" just to put it above what the group policy is set at which is currently "1". I am still able to login three usernames at the same time with no effect of the firewall trying to boot anyone after 1 connection is made. Of course still if i try to connect user "A" twice, it will kick the older session off after the 2nd one connects.

I guess there isn't a huge need for a feature like this, but I was thinking there would be a way to do this. The method I found is to limit the IP pool but then I can't have static IP's to the users, so its a toss up that I will just have to figure out which way I will have to take.

New Member

Re: Restricting amount of users on IPSec VPN

After running some tests, I don't think its actually enforcing the group policy. I have the group policy set at 1 and user connections set to 5. I was just able to log user "A" in twice without and issues. So this might be where the group policy isn't being enforced. Which I am not sure why it wouldn't be since the user is set to that policy when I look at it.

Cisco Employee

Re: Restricting amount of users on IPSec VPN

Yes, group policy attribute will not be enforced if you have the same user policy attribute defines because user policy takes precedence

over the group policy.

That's why try to remove the user policy attributes (so it will inherit from the group-policy attribute), and just set the group policy attribute to  vpn-simultaneous-logins of 1, and try to connect multiple users (it should fail).

New Member

Re: Restricting amount of users on IPSec VPN

I get what your saying now and so I went ahead and hit "intherit" for everything under the user so it would pull all the permissions from the group policy. That makes sense and dunno why it didn't before. So now when I login user "A" twice, one of them does get kicked off. But I can still login user "A" and "B" and "C" with no issues.

The simultaneous logins to me does mean how many total, but it appears that it just means how many of the same username. Still seems fuzzy logic to me though.

I attached the group policy screen from ASDM and a user screen for examples. Can't thank you enough

Cisco Employee

Re: Restricting amount of users on IPSec VPN

Mmmm.. you've set it to 1, however, you can still connect 3 users at the same time.

OK, can you share the following info pls:

1) Output of "sh run group-policy "

2) Connect all 3 users, then please share the output of "sh vpn-sessiondb remote"

3) What is the ASA version?

New Member

Re: Restricting amount of users on IPSec VPN

1 -

group-policy XX internal

group-policy XX attributes
banner none
wins-server none
dns-server none
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
group-lock value XXVPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XX
intercept-dhcp disable
vlan none
nac-settings none
address-pools none
smartcard-removal-disconnect enable
2 -
Result of the command: "sh vpn-sessiondb remote"
Session Type: IPsec
Username     : A              Index        : 10
Assigned IP  : 172.18.1.8             Public IP    : XXX.XXX
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : AES128                 Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 4866
Group Policy : 31001                  Tunnel Group : 31001VPN
Login Time   : 02:12:37 UTC Sun Oct 17 2010
Duration     : 0h:01m:25s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
Username     : B                  Index        : 11
Assigned IP  : 172.18.1.6             Public IP    : XXX.XXX
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : AES128                 Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 8192
Group Policy : 31001                  Tunnel Group : 31001VPN
Login Time   : 02:12:53 UTC Sun Oct 17 2010
Duration     : 0h:01m:09s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
Username     : C                Index        : 12
Assigned IP  : 172.18.1.7             Public IP    : XXX.XXX
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : AES128                 Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 4999
Group Policy : 31001                  Tunnel Group : 31001VPN
Login Time   : 02:13:10 UTC Sun Oct 17 2010
Duration     : 0h:00m:52s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
3 - The version is: Cisco ASA Version 8.0(4)
Cisco Employee

Re: Restricting amount of users on IPSec VPN

Thanks... I can see that all users connect to the same group, however, under the group policy attribute itself, I don't see any "vpn-simultaneous-logins" configuration?

New Member

Re: Restricting amount of users on IPSec VPN

Result of the command: "sh run group-policy 3"
group-policy 3 internal
group-policy 3 attributes
banner none
wins-server none
dns-server none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
group-lock value 3VPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 3
intercept-dhcp disable
vlan none
nac-settings none
address-pools none
smartcard-removal-disconnect enable
I made a change to test before I ran that command. This is what it is set at and still have the 3 users signed on.
New Member

You can use the vpn-sessiondb

You can use the vpn-sessiondb command to set an active VPN limit systemwide.  This can be done for AnyConnect or other VPN client connections as noted below.

max-anyconnect-premium-or-essentials-limit   #For AnyConnect

max-other-vpn-limit   #For Cisco VPN Client (not sure about L2L)

Example:

vpn-sessiondb max-anyconnect-premium-or-essentials-limit 250

or

vpn-sessiondb max-other-vpn-limit 250

3115
Views
0
Helpful
16
Replies