Solved

Cisco ASA 5505 host license limit workaround and dhcp lease time

Posted on 2014-01-12
6
2,924 Views
Last Modified: 2014-01-18
We have a Cisco ASA 5505 with a 10 host license. For several years this tiny home office didn't need more than that. But, being in a home office, the number of business hosts as well as the family's personal inventory of smart devices (tablets, phones, smart TVs) has exceeded the host limit. The business runs on Windows SBS 2008 and we currently have an Engenius wireless access point but also have other wireless routers we could deploy.

My first question is simply this: how do I get the ASA to open up unused host connections when devices have left the building or been turned off? It seems like the machine keeps some connections a long time, even when the device has been shutdown. Is this related to DHCP lease times? If so, do I just need to shorten the lease time to something like 600 seconds (10 minutes)?

Will a short lease time create excessive overhead traffic?

The second question is: Should I set up a separate home network on another wireless router and use NAT to keep that traffic on a single address going to the ASA since it generally should not need to see any of the business LAN devices? We have a Comcast business Internet gateway, so maybe I can just plug that other router straight into the cable modem... guess I better look at the box and see if it has more LAN ports for that.
0
Comment
Question by:Shannon Mollenhauer
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39774840
Had the exact same issue with my 10 user license ASA. Those personal wireless devices add up fast!  :-)

I ended up getting a 50 user license.

But in the interm, I created a separate wireless network that NATed to the ASA. So all wireless devices only counted as one device as far as the ASA was concerned.  

IIRC, the command to clear an existing connection is "clear local-host <ip address>".
0
 

Author Comment

by:Shannon Mollenhauer
ID: 39774999
Thanks for the suggestion. I'm not going to be using CLI repeatedly, but I'll use the clear command to test the release of connections. I'd still appreciate anyone's advice on whether the dhcp lease time being much shorter will accomplish the same clearing effect.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39775008
Oh... Sorry. I didn't see where you were going with the DHCP lease idea.

I don't think that's going to help since the DHCP table is separate from the connection table.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 

Author Comment

by:Shannon Mollenhauer
ID: 39791269
We ended up putting a cheap netgear wireless router on another port on the Comcast gateway and moving non-business devices to that network. Still evaluating whether to upgrade the licenses on the Cisco ASA, replace it, or keep things as-is. Shortened lease time might have helped the ASA recognize that a device has been off the network for a while and not actively using a connection, but I can't verify that with my limited knowledge of the device. Closing the question for now.
0
 

Author Comment

by:Shannon Mollenhauer
ID: 39791356
I've requested that this question be closed as follows:

Accepted answer: 0 points for smollenhauer's comment #a39791269

for the following reason:

Suggestions by others didn't answer the original question. Workaround in place for now.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 39791350
I believe that I answered both questions.

Changing the DHCP lease will not affect the connection table.  And adding a second network using NAT will reduce the number of connections against the license.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Transparency shows that a company is the kind of business that it wants people to think it is.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now