Solved

Cisco ASA 5505 host license limit workaround and dhcp lease time

Posted on 2014-01-12
6
3,096 Views
Last Modified: 2014-01-18
We have a Cisco ASA 5505 with a 10 host license. For several years this tiny home office didn't need more than that. But, being in a home office, the number of business hosts as well as the family's personal inventory of smart devices (tablets, phones, smart TVs) has exceeded the host limit. The business runs on Windows SBS 2008 and we currently have an Engenius wireless access point but also have other wireless routers we could deploy.

My first question is simply this: how do I get the ASA to open up unused host connections when devices have left the building or been turned off? It seems like the machine keeps some connections a long time, even when the device has been shutdown. Is this related to DHCP lease times? If so, do I just need to shorten the lease time to something like 600 seconds (10 minutes)?

Will a short lease time create excessive overhead traffic?

The second question is: Should I set up a separate home network on another wireless router and use NAT to keep that traffic on a single address going to the ASA since it generally should not need to see any of the business LAN devices? We have a Comcast business Internet gateway, so maybe I can just plug that other router straight into the cable modem... guess I better look at the box and see if it has more LAN ports for that.
0
Comment
Question by:Shannon Mollenhauer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39774840
Had the exact same issue with my 10 user license ASA. Those personal wireless devices add up fast!  :-)

I ended up getting a 50 user license.

But in the interm, I created a separate wireless network that NATed to the ASA. So all wireless devices only counted as one device as far as the ASA was concerned.  

IIRC, the command to clear an existing connection is "clear local-host <ip address>".
0
 

Author Comment

by:Shannon Mollenhauer
ID: 39774999
Thanks for the suggestion. I'm not going to be using CLI repeatedly, but I'll use the clear command to test the release of connections. I'd still appreciate anyone's advice on whether the dhcp lease time being much shorter will accomplish the same clearing effect.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39775008
Oh... Sorry. I didn't see where you were going with the DHCP lease idea.

I don't think that's going to help since the DHCP table is separate from the connection table.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 

Author Comment

by:Shannon Mollenhauer
ID: 39791269
We ended up putting a cheap netgear wireless router on another port on the Comcast gateway and moving non-business devices to that network. Still evaluating whether to upgrade the licenses on the Cisco ASA, replace it, or keep things as-is. Shortened lease time might have helped the ASA recognize that a device has been off the network for a while and not actively using a connection, but I can't verify that with my limited knowledge of the device. Closing the question for now.
0
 

Author Comment

by:Shannon Mollenhauer
ID: 39791356
I've requested that this question be closed as follows:

Accepted answer: 0 points for smollenhauer's comment #a39791269

for the following reason:

Suggestions by others didn't answer the original question. Workaround in place for now.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 39791350
I believe that I answered both questions.

Changing the DHCP lease will not affect the connection table.  And adding a second network using NAT will reduce the number of connections against the license.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question