Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Session could not be established: session limit of 4 reached.

Hi Team,

 I am unable to  connect Cisco Anyconnect VPN, what I have observed that, except me everyone able to connect.

 

The below are the logs from syslog server.

2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-6-113004: AAA user authentication Successful : server =  5.5.5.5 : user = rockline@xxx.com
2014-11-13T13:57:30+01:00
1.1.1.1 %ASA-6-113009: AAA retrieved default group policy (CiscoAC) for user = rockline@xxx.com
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-6-113008: AAA transaction status ACCEPT : user = rockline@xxx.com
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-4-113029: Group <CiscoAC> User <rockline@xxx.com> IP <2.2.2.2> Session could not be established: session limit of 4 reached.
2014-11-13T13:57:30+01:00 1.1.1.1 %ASA-4-113038: Group <CiscoAC> User <rockline@xxx.com> IP <2.2.2.2> Unable to create AnyConnect parent session.
2014-11-13T13:57:30+01:00
1.1.1.1 %ASA-6-725007: SSL session with client outside:2.2.2.2/58735 terminated

 

Looking forward for your response.

 

Thanks.

Everyone's tags (2)
3 REPLIES
Hall of Fame Super Silver

It sounds like you are using

It sounds like you are using AnyConnect Premium with an HA pair of ASAs each with two free licenses. Any user currently connected via an SSL VPN connection will use one of those licenses. The 5th user would result in the message you show above. IPsec VPN clients would not count against that total.

Anonymous
N/A

In my case it turned out that

In my case it turned out that the vpn session was not terminating after disconnect, so users were having multiple sessions. Check in ASDM > Monitoring. Look at AnyConnect sessions and disconnect them. We are looking at  away to disconnect idle sessions. I think I saw it set to never somewhere.

Hall of Fame Super Silver

This thread is 3 years old

This thread is 3 years old but - yes - you can set idle timeout.

The following example shows how set a vpn-idle-timeout of 10 minutes, and to decrease the default-idle-timeout to 1200 seconds (20 minutes):

hostname(config)# group-policy telecommuters attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# vpn-idle-timeout 10
hostname(config-group-webvpn)# default-idle-timeout 1200

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html#wp1119393

1277
Views
0
Helpful
3
Replies
CreatePlease to create content