• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3363
  • Last Modified:

Cisco ASA 5505 host license limit workaround and dhcp lease time

We have a Cisco ASA 5505 with a 10 host license. For several years this tiny home office didn't need more than that. But, being in a home office, the number of business hosts as well as the family's personal inventory of smart devices (tablets, phones, smart TVs) has exceeded the host limit. The business runs on Windows SBS 2008 and we currently have an Engenius wireless access point but also have other wireless routers we could deploy.

My first question is simply this: how do I get the ASA to open up unused host connections when devices have left the building or been turned off? It seems like the machine keeps some connections a long time, even when the device has been shutdown. Is this related to DHCP lease times? If so, do I just need to shorten the lease time to something like 600 seconds (10 minutes)?

Will a short lease time create excessive overhead traffic?

The second question is: Should I set up a separate home network on another wireless router and use NAT to keep that traffic on a single address going to the ASA since it generally should not need to see any of the business LAN devices? We have a Comcast business Internet gateway, so maybe I can just plug that other router straight into the cable modem... guess I better look at the box and see if it has more LAN ports for that.
0
Shannon Mollenhauer
Asked:
Shannon Mollenhauer
  • 3
  • 3
1 Solution
 
Don JohnstonInstructorCommented:
Had the exact same issue with my 10 user license ASA. Those personal wireless devices add up fast!  :-)

I ended up getting a 50 user license.

But in the interm, I created a separate wireless network that NATed to the ASA. So all wireless devices only counted as one device as far as the ASA was concerned.  

IIRC, the command to clear an existing connection is "clear local-host <ip address>".
0
 
Shannon MollenhauerAuthor Commented:
Thanks for the suggestion. I'm not going to be using CLI repeatedly, but I'll use the clear command to test the release of connections. I'd still appreciate anyone's advice on whether the dhcp lease time being much shorter will accomplish the same clearing effect.
0
 
Don JohnstonInstructorCommented:
Oh... Sorry. I didn't see where you were going with the DHCP lease idea.

I don't think that's going to help since the DHCP table is separate from the connection table.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Shannon MollenhauerAuthor Commented:
We ended up putting a cheap netgear wireless router on another port on the Comcast gateway and moving non-business devices to that network. Still evaluating whether to upgrade the licenses on the Cisco ASA, replace it, or keep things as-is. Shortened lease time might have helped the ASA recognize that a device has been off the network for a while and not actively using a connection, but I can't verify that with my limited knowledge of the device. Closing the question for now.
0
 
Shannon MollenhauerAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for smollenhauer's comment #a39791269

for the following reason:

Suggestions by others didn't answer the original question. Workaround in place for now.
0
 
Don JohnstonInstructorCommented:
I believe that I answered both questions.

Changing the DHCP lease will not affect the connection table.  And adding a second network using NAT will reduce the number of connections against the license.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now