Single host traffic only allowed through ASA--strange.

I have a strange problem. My ASA 5505 has a 10-user license.  I have, at most, seven devices on this side (the remote side) that would be communicating across the L2L VPN I have established with our main building.  When I do a show conn count I see 139 connections. That baffles me.  I'm not a router jockey or Cisco IOS guy, so I'm struggling. Are some of those connections likely to be coming from the main building to here? Either way, here is the real problem.

There are two people who have computers in this office. The first one to establish an internet connection is the only one to be able to use it from that point forward.  Once one of them shuts down, or logs off, then the other machine is able to get out to the internet or across the tunnel.  Otherwise, it's one-at-a-time for the PCs. I have no idea what's happening.  Can anyone help me out? There is definitely traffic going both ways.

Below is the output for sho ver.
Cisco Adaptive Security Appliance Software Version 9.1(6)
Device Manager Version 7.5(2)

Compiled on Fri 27-Feb-15 13:50 by builders
System image file is "disk0:/asa916-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 4 days 17 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is 0081.c45e.ff72, irq 11
 1: Ext: Ethernet0/0         : address is 0081.c45e.ff6a, irq 255
 2: Ext: Ethernet0/1         : address is 0081.c45e.ff6b, irq 255
 3: Ext: Ethernet0/2         : address is 0081.c45e.ff6c, irq 255
 4: Ext: Ethernet0/3         : address is 0081.c45e.ff6d, irq 255
 5: Ext: Ethernet0/4         : address is 0081.c45e.ff6e, irq 255
 6: Ext: Ethernet0/5         : address is 0081.c45e.ff6f, irq 255
 7: Ext: Ethernet0/6         : address is 0081.c45e.ff70, irq 255
 8: Ext: Ethernet0/7         : address is 0081.c45e.ff71, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: XXXXXXXXXXX
Configuration register is 0x1
Configuration last modified by enable_15 at 13:19:47.259 UTC Fri Nov 25 2016

Open in new window

sho cryp ipsec sa
interface: outside
    Crypto map tag: CRYPTOMAP, seq num: 10, local addr:

      access-list LIBRARY extended permit ip
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (

      #pkts encaps: 54866, #pkts encrypt: 54866, #pkts digest: 54866
      #pkts decaps: 72740, #pkts decrypt: 72740, #pkts verify: 72740
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 54866, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:, remote crypto endpt.:
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 902BD566
      current inbound spi : 10E582CB

    inbound esp sas:
      spi: 0x10E582CB (283476683)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: CRYPTOMAP
         sa timing: remaining key lifetime (kB/sec): (4353537/11312)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
    outbound esp sas:
      spi: 0x902BD566 (2418791782)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: CRYPTOMAP
         sa timing: remaining key lifetime (kB/sec): (4371809/11312)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Open in new window

sho cryp ikev1 sa
IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer:
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Open in new window

Here is the config:
: Saved
: Serial Number: XXXXXXX
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 07:02:06.570 UTC Wed Nov 30 2016
ASA Version 9.1(6) 
hostname MYASA
enable password EUfKAz4sNC/DZq4. encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
ip local pool RAPOOL mask
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address 
ftp mode passive
object network INSIDENET
object network REMOTENET
object network MAINNET
access-list MAIN extended permit ip object REMOTENET object MAINNET 
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static REMOTENET REMOTENET destination static MAINNET MAINNET no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic INSIDENET interface
route outside 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TRANSFORMSET esp-3des esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 65535 set ikev1 transform-set TRANSFORMSET
crypto dynamic-map dynmap 65535 set reverse-route
crypto map CRYPTOMAP 10 match address MAIN
crypto map CRYPTOMAP 10 set peer 
crypto map CRYPTOMAP 10 set ikev1 transform-set TRANSFORMSET
crypto map CRYPTOMAP 10 set reverse-route
crypto map CRYPTOMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYPTOMAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6exxxxxxxxxxxxxxxxxxxxxxd491
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh inside
ssh outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd dns
dhcpd domain mydomain.lan
dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username anotheradmin password xxxxxxxxxxxxxx encrypted
username adminuser password xxxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 ikev1 pre-shared-key 3f1Ix@pqzl
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

Open in new window

Shane KahkolaDirector of I.T.Asked:
Who is Participating?
Pete LongTechnical ConsultantCommented:
in fact here you go do this

PetesASA# sh resource usage
Resource                 Current        Peak      Limit        Denied Context
Telnet                         0           1          5             0 System
SSH Server                     1           1          5             0 System
Conns                        161         779      25000             0 System
Xlates                       249        2075        N/A             0 System
Hosts                         72         236        N/A             0 System
Conns [rate]                   2         354        N/A             0 System
Inspects [rate]                2         187        N/A             0 System
Routes                         5           5  unlimited             0 System

I've got 72 hosts in my house, thats alarming?
Pete LongTechnical ConsultantCommented:
Theres nothing wrong with your VPN config?

When someone can't get on, issue a 'show conn' command and see how many connections you have (not how many people) count the source IPs

Gerald ConnollyCommented:
These 2 PC's dont have the same IP address do they?
Shane KahkolaDirector of I.T.Author Commented:
Thank you again! I had somewhere around 136 listed, but I don't have NEAR that many devices on that end of the tunnel.  Is it counting connections coming across the tunnel from the other side? If so, I'm upgrading to unlimited.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.