Solved

My ASA 5505 keeps going over the 50 host limit

Posted on 2010-09-07
12
3,525 Views
Last Modified: 2012-05-10
I have 13 users ant the most on the inside interface plus about 3-5 on VPN.  

Using show local-host, the current host count lingers between 28-32.

Every once in a while, it jumps to 50 and I get 450001 syslog ID denying traffic for a couple minutes then the count jumps back down and the errors go away.

I don't know how to troubleshoot to find out where all these hosts are coming from.

Thanks.

0
Comment
12 Comments
 
LVL 4

Expert Comment

by:bjove
ID: 33623039
0
 

Author Comment

by:bfindleyexpertsexchange
ID: 33623139
How can I tell what local hosts are contributing to the license limit?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 33625117
Keep in mind though that the hosts don't refer to users but to (all) machines on your network which can connect to the internet.
Don't know how much you got of them offcourse.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33626010
1) is there any command like "-security-traffic permit intra-interface'" in ur ASA.
if remove that and see.

2) which is ur OS version, if it is 8.0(3) or earlier, then there is a bug,  and it is resolved in 8.04 ,so use higher version


3) is there any default route on ur ASA, if not  hosts on all interfaces are counted toward the limit.

0
 
LVL 3

Expert Comment

by:Mystique_87
ID: 33627909
here are the details for the syslog ID 450001:
Error Message    ASA-4-450001: Deny traffic for protocol protocol_id src
interface_name:IP_address/port dst interface_name:IP_address/port, licensed host
limit of num exceeded.

If you have a hunch that somebody on the internal network may be launching too many connections, use the command:
sh loacl-host | include host|count/limit
this command will give the number of connections each of the hosts on the internal network are having.
If you find any host with more number of connections determine what that host is, a server or a PC.
A server having many connections is justifiable, but a PC having many connections needs some investigation.

If you want to limit the number of connections, you can use the set-connection command in the class-map of a policy-map

0
 

Author Comment

by:bfindleyexpertsexchange
ID: 33628611
I don't get how the number add up. This is an example of the output.

Current host count: 28, towards licensed host limit of: 50
local host: <10.1.2.175>,
    TCP flow count/limit = 29/unlimited
    TCP embryonic count to host = 0
    UDP flow count/limit = 0/unlimited
local host: <10.1.2.179>,
    TCP flow count/limit = 26/unlimited
    TCP embryonic count to host = 0
    UDP flow count/limit = 32/unlimited

One of these computers is mine and I have no viruses but I am running many applications.
I also have outside ip addresses showing up on the list like the ones below:

local host: <74.125.19.149>,
    TCP flow count/limit = 2/unlimited
    TCP embryonic count to host = 0
    UDP flow count/limit = 0/unlimited
local host: <74.125.19.189>,
    TCP flow count/limit = 8/unlimited
    TCP embryonic count to host = 0
    UDP flow count/limit = 0/unlimited

I thought show local-host would only show connections on the inside interface.
0
 

Author Comment

by:bfindleyexpertsexchange
ID: 33628872
anoopkmr

I removed the -security-traffic permit intra-interface - didn't seem to do anything

There is a default route

My ASA version is 7.2(3)
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33636728
I have seen a few times on the ASA 5505 that if you use VPN clients to connect with full tunnel and provide them internet via "VPN on a stick" that the ASA then starts using sessions that the VPN clients create to count instead of IPs.

Under all circumstances I advise you to upgrade to a newer version atleast 8.2.3 (think its the lastest in the 8.2.x train).
0
 

Author Comment

by:bfindleyexpertsexchange
ID: 33637863
I think that may be what is happening. What's the process for getting an upgrade? I have 4 ASA 5505 that are not on any sort of contract. Do I need to purchase the upgrade? From who? Thanks.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33638881
You can purchase a single upgrade for the one ASA that needs the new software or you can purchase a 50-unlimited user upgrade.

I would recommend that you purchase a smartnet contract for all 4 ASAs and a 50-unl upgrade for the ASA with VPN clients.

A smartnet contract enables you to the following:

1. Full access to ASA and VPN software
2. Advanced hardware replacement (AHV) on a 8x5NBD (next business day shipping)
3. Access to Cisco TAC
0
 

Author Comment

by:bfindleyexpertsexchange
ID: 33638933
Can you buy the upgrade or Smartnet online?
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33640186
You purchase your smartnet contract via a Cisco partner or reseller and the contracts are paper contracts and is sent via e-mail. Use this link to find a partner in your area.

http://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What are acceptable WiFi signal strengths 6 71
BGP Code 12 47
DNS and NSLOOKUP 21 74
Running a 2nd company from the same location 3 38
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now