2 Replies Latest reply: Mar 18, 2018 9:11 PM by mark.delong1 RSS

ASA 5505 - Site to Site VPN - Concurrent Connections limitation

ecaamano1

Hi Team,

 

Quick question, I am establishing a site-to-site VPN between a Cloud Provider and one of our customers.

Our customer is using Cisco ASA 5505.

We are supposed to have reachability to 11 devices, but it appears to be random that we can connect to only 7 of them.

Even after a reset, we connected to 7 again, even when some of them were different from the previous 7.

 

There is any capacity, configuration or licensing issue that can be liming the number of concurrent connections allowed on the tunnel?

 

Regards, Emilio

  • 1. Re: ASA 5505 - Site to Site VPN - Concurrent Connections limitation
    lsmirnov@draper.com

    Emillio,

    I would suggest you to open tech support case.

     

    Regards,

     

    Leon

  • 2. Re: ASA 5505 - Site to Site VPN - Concurrent Connections limitation
    mark.delong1

    Emilio,

     

    I'm not sure if you have figured this out yet but ASA 5505's had a connection limitation license (called "inside hosts limit"). As well as some other interesting licenses (restricted DMZ is the other one that impacts people a lot).

     

    The "inside hosts" limit is set to 10 or unlimited based on the license the ASA was purchased with. I believe the license that set this to unlimited (as well as removed the restricted DMZ) was the "security plus" license but I'm not 100% sure as the 5505's are end of sale now so I don't have to worry about their licensing any more.

     

    I'm assuming your ASA 5505 was licensed for 10 "inside hosts" as seen below. So the question is why can you only get to 7 devices instead of 10? Well the answer is you probably have multiple TCP connections going to a couple of those devices or something else taking up the other 3 connections. The ASA doesn't really count up "inside hosts" to enforce this license limit. It just limits the connection table from holding more than 10 entries to enforce it. You could check the entries in the connection table with a "show conn" to see what the actual connections are that are using up your 10. Once you fill up the table with its 10 entries every new connection is dropped.

     

    This licensing was pretty unpopular and Cisco scrapped it for the 5506-X that replaced the 5505...thankfully! To check if you have this license limitation use the "show ver" command and look for the "inside hosts" license as seen below. If it shows 10 (like it does below) instead of "unlimited" or "unrestricted" that is your problem:

     

    Screenshot.png

     

    As far as limitations to how many connections are allowed over an IPSEC VPN I have never seen that in an ASA. I suppose you could do something custom with a policy map to inflect that pain but nothing normal would do it. It is much more likely that you are hitting a total connection limit form this license issue.

     

    Thanks!

     

    Mark