Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6210
Views
5
Helpful
3
Replies

Session could not be established: session limit of 4 reached.

rockline9
Level 1
Level 1

‎11-13-2014 08:26 AM

Hi Team,

 I am unable to  connect Cisco Anyconnect VPN, what I have observed that, except me everyone able to connect.

 

The below are the logs from syslog server.

2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-6-113004: AAA user authentication Successful : server =  5.5.5.5 : user = rockline@xxx.com
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-6-113009: AAA retrieved default group policy (CiscoAC) for user = rockline@xxx.com
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-6-113008: AAA transaction status ACCEPT : user = rockline@xxx.com
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-4-113029: Group <CiscoAC> User <rockline@xxx.com> IP <2.2.2.2> Session could not be established: session limit of 4 reached.
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-4-113038: Group <CiscoAC> User <rockline@xxx.com> IP <2.2.2.2> Unable to create AnyConnect parent session.
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-6-725007: SSL session with client outside:2.2.2.2/58735 terminated

 

Looking forward for your response.

 

Thanks.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-13-2014 06:50 PM

It sounds like you are using AnyConnect Premium with an HA pair of ASAs each with two free licenses. Any user currently connected via an SSL VPN connection will use one of those licenses. The 5th user would result in the message you show above. IPsec VPN clients would not count against that total.

Not applicable

‎08-09-2017 03:27 PM

In my case it turned out that the vpn session was not terminating after disconnect, so users were having multiple sessions. Check in ASDM > Monitoring. Look at AnyConnect sessions and disconnect them. We are looking at  away to disconnect idle sessions. I think I saw it set to never somewhere.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to

‎08-09-2017 07:55 PM

This thread is 3 years old but - yes - you can set idle timeout.

The following example shows how set a vpn-idle-timeout of 10 minutes, and to decrease the default-idle-timeout to 1200 seconds (20 minutes):

hostname(config)# group-policy telecommuters attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# vpn-idle-timeout 10
hostname(config-group-webvpn)# default-idle-timeout 1200

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html#wp1119393

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents