Getting the following alarm from my ISE:Cause:Base License Enforcement Details: Base concurrent users exceed license allowable count.Currently only using 1656 out of 2000 base licenses so I'm not sure what the issue is. Running 1.1.2.145 patch 3.
View 1 RepliesWe have a PIX 501 and I'm in the process of replacing it with a ASA5505. We're currently using the 501 for a site-to-site vpn for disaster recovery purposes and I'm trying to verify the number of concurrent connections we can have.
View 1 Replies View RelatedWe want to buy a ISE-3315-K9 for 500 end-devices.In the price-list I found the ISE-3315-K9 but cannot find the base license: L-ISE-BSE-500=. (I think I need this license)Will the shipment of the ISE-3315-K9 includes a 3000 end-points base license (maximum support of the ISE-3315) or do I need to order the base 500 license seperately?
View 1 Replies View RelatedIn previous LMS versions the DCR could hold more devices then the licenses of the other other applications permitted and using the "user defined fields" we have used it as a general device repository for some customers, pushing only the supported cisco devices to the various applications.In LMS 4 cisco has removed all allocation possebilities from the various applications and replaced it by an all or nothing type of allocation.Does this now mean that any entry in the DCR is automatically counted as a used device license?
View 1 Replies View RelatedAny method to determine the maximum number of concurrently used SSL VPN licenses (sessions) on an ASA5540 over a period of time? For instance, over a week, the MAXIMUM number of concurrent users that were utilizing SSL licenses on the box. We are trying to determine current license capacity of the device.
We are running 8.2(5) on the ASA itself, and have 6.47 ASDM deployed.
This is one I am having a hard time finding an answer for. How many clients can a 3600 AP support? For 150 clients on one of these, what would the throughput be for each client?
If my calculations are correct, the device can deliver 420 Mbps, which gives each client roughly 2.8Mbps. Is this correct?
What the maximum concurrent users you can have on a Cisco 3925 for :-
1) Site to Site VPN using IPSEC tunnels
2) GRE tunnel sIf I have 90 users on a single GRE tunnel with 50mb Internet pipe using fat clients will this work ?
We have a client that is looking to provide connectivity for up to 800 users at a conference. They have a SRP527W available to them. Looking at the configuration we have been able to provide the needed number of IP addresses through VLANs each with their own DHCP scope.
However we are doubtful that the router will be able to process such a high number of connections (NAT, Firewall etc.) even though they will be using a specialised application that pulls static content via WAN.
Thus far we have been told that the unit has supported 150 user no issue, my I am guessing anything over 200 and you would start to see stability issues?
I wish to purchase Cisco Prime LMS 4.1, particularly Cisco part # R-LMS-4.1-500-K9 which support 500 Cisco nodes.We have about 360 Cisco switches/routers/ASA/FWs/WLCs so the 500 nodes license would seem to suffice for now & for future growth.We also have about 200 lightweight APs that are managed & monitored by our WLC/WCS/Navigator environment.According to the device support documentation for LMS, it supports and I assume will auto-discover these APs.Does that mean these APs will use up node licenses on LMS even though management of the APs is done by WLC/WCS? If so is there an easy way to suppress discovery of APs by LMS so we don’t have to purchase extra node licenses for LMS? Or, does LMS offer additional support features for wireless APs not already offered by WLC/WCS/Navigator?Just trying to understand how many network node licenses for LMS I have to purchase.
View 3 Replies View RelatedAt the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
I'm using a Huawei B660 3G router at my house, with with a service provider called 8ta (in South Africa). I've been struggling for months to try and get them to troubleshoot and fix my connection, which was working fine for about a year.
I'm now daily struggling with download speeds of as little as 0.1Mbps to 0.5Mbps, especially after 5pm until about midnight. Upload speed off course is even worse.
8ta, has after months of me complaining agreed to install an antenna at my house, which will probably take another few more weeks for them to accomplish.
I often have 5/5 bars of signal on the router, so my argument is that signal strength might not be the problem. Since the connection is in a residential area, I would assume that their network is more likely to be a bit more congested after hours, but a technician explained to me that their network is never more than 30% "occupied".
Can the number of users connected on the 3G network/tower cause signal strength to attenuate for surrounding users?
Would it replace the B660 (7Mbps) router with a 21Mbps counterpart?
We are trying to migrate WCS base license to NCS 1.1 .We have procured the migration license .In the licensing guide , it is mentioned as "L-WCS-NCS1-M-K9 License first, before adding the licenses migrated from your WCS installation"
1)Whether we need to add this migration license in WCS before genrating XML file or
2)Before adding XML file in NCS we need to add this in NCS ..
I currently purchased, Cisco 1941/K9 with 2 onboard GE, 2 EHWIC slots, 1 ISM slot, 256MB CF default, 512MB DRAM default, IP Base.
Questions
1. With IP Base License, will I be able to run Frame Relay? I really need reference on what works and what doesn't between these different technology package licenses ? Actually frame relay is running on it right now, hope it doesn't suddenly stop after 60 days...
2. As I understand in order to run MPLS, I will need to upgrade to Data License "SL-19-DATA-K9". Since, I already have a Cisco 1941 to upgrade it, I need to order a spare license / paper PAK?
3. Does the IP Base License support site to site IPSEC VPN or do I need to purchase a security license "SL-19-SEC-K9"
4. Can I have both security and data license activated on the same device ?
5. If I do activate security or data license will I be able to use the IP Base features at the same time?
6. If I purchase a new Cisco 1941 with Data or Security License do I need to purchase the IP Base License then upgrade the license?
7. Is the 1941 suited for voice application routing ?
We have purchased an ASA 5510 with CSC module. Unfortunatelly, white envelope with PAK for activation a Base License was lost before we managed to register it.
View 1 Replies View RelatedI am working on ASA 5505 with Base License that uses 3 VLAN's.
-My VLAN 1 is for used for my home network.
-VLAN 2 is connected to the public Internet and my IP gets assigned by ISP dynamically.
-VLAN 3 is DMZ where I will have few VM's that would need access to and from the Internet.
I am looking to work with following:
1) 172.16.0.2 that sits on DMZ will need to access public Internet over port 80
2) Permit access from the Internet over port 3389 to 172.16.0.2
3) Permit any host on private VLAN (192.168.0.0 network) to access 172.16.0.2 over the port 3389
4) Permit second VM on the DMZ VLAN let say 172.16.0.3 to access public Internet on all ports. Access in to this host is not permitted.
5) For some reason DHCP hosts are NOT getting DNS (8.8.8.8) entry when IP hets assigned or renew. I have a statements below but it is not working.
Also, if ACL rules for VoIP are written correctly. The goal is to permit these ports (SIP related) to access VoIP router. [code]
I'm tring to setup a DMZ for a guest wireless off of a 5505. So this device has a base license. It has vlan1 and vlan 2 for inside and outside.Another vlan is configured to be a failover for the currently active wan connection. It is using the "no forward interface" command.Can I add another vlan as a DMZ if I use the "no forward interface" command? [code]
View 6 Replies View RelatedI have ASA 5505 with base licence. I configured NATing and VPN(site to site). All are working fine.My ASA is base license so i created 2 VLANS, one is inside and outside.Inside i am using 10.91.40.0/24 serie IP addresses.Below are the new requirements that i need to configre:
1. First 30 IP addresses only needs internet directly.( Servers and Management)
2. If remaining IPs likes to use web then traffic needs to forward one proxy server( where he gives user authentiation)
My ASA 5505 base license allows for three VLANs, the third one can only initiate traffic to one other VLAN (as specified by no forward interface vlan <number> on the third VLAN). This doesn't mean it can't "access" the other VLAN, it just can't initiate traffic to it. A lot of people get that wrong.Let's say you've got three VLANs, one is OUTSIDE, two is DMZ, and three is INSIDE. On the second VLAN would I enter the no forward interface as vlan 3, then set the name via the nameif command and everything will work just fine. The DMZ will not be able to initiate traffic to the INSIDE, but will to the outside, and assuming you have your ACLs and NAT set up properly, it will be able to respond to traffic from the INSIDE.
Would that be best practice or would I enter the "no forward" interface as in VLAN 1, thus is being able to respond to traffic from the outside as opposed to the inside.
I had a DMZ set up but since there was an intrusion into my network, I am building it again.
How to install IP base liecense and Unified communication liecense in 2921 router?
View 1 Replies View RelatedI have a couple of 5505's with base licenses. One of the two has a limited output when running the sho version command, as it has a restricted license. What license I would need to buy in order to bring it up to "normal" base license ?
View 1 Replies View RelatedI am having a ws-3750x-12s-s switch . I want to upgrade it from ipbase to ip service. after installing ip service liciense file, when i gave command " show license detail" i found there 3 index . one is for ip base -active (permanent) ..2nd is for ip service-active(permanent) 3rd is again ip service but inactive( period 8weeks 2days) , then i cleared 1st one by giving command "clear ipbase" and reboot. but still 2 index .both for ipservice one is permanent-active another is inactive . so my question is how can i remove 2nd index which one is inactive and time period for 8weeks and 2days..?? becasue i don't need it. and it will make any problem in future ?
View 2 Replies View RelatedWell, I tried using the cisco configuration for ASA 5505 for blocking P2P: url...but this configuration only is usefull with programs like Kazaa, so I try this configuration to block ARES but the problem is that ARES try to make downloads from different ports, ¿How do I block ARES if there are sereveral ports ?
View 1 Replies View RelatedWould like to ask what is the rigth SKU license for WS-X3750-24P-L for LAN Base to IP Base Upgrade License
View 3 Replies View Relatedwe have a cisco ASA5505 with base license and 3 interface configured. Internal 192.168.1.1/24 DMZ 172.16.0.1/24 Outside 20.20.20.20/24 The DMZ is configured to allow the traffic pass to the outside interface only (base license allow only traffic to one interface) in order to let clients on this network to browse internet. On the outside interface there's a nat configuration that let the port 443 to be natted to an in internal server. Is it possible to let the clients in DMZ to access to the internal server on port 443 from the outside interface?
View 3 Replies View Relatedbasic step to blocking site on ASA 5505 version 8.2(1) base license using CLI
View 1 Replies View RelatedI am bringing up a 3750x and a 2911 to replace a 3745 router with switchport module. I was plannng on moving all the VLAN interfaces off the 3745 onto the 3750x and turning up EIGRP. I discoved the 3750 has the LAN Base license, so I can't run eigrp off of it. My question or worry now is, will the LAN base license prevent the switch from doing interface VLAN routing between the different VLAN's configured on it or will I have keep all the VLAN interfaces on the new router and just have a router on a stick setup?
View 4 Replies View RelatedI have a base 5505 and would like to get AnyConnect working. To do that, would I have to first purchase either an essentials or premium license and then purchase the AnyConnect Mobile license?
View 1 Replies View Relatedwe have a customer with a ASA 5510 with a CSC module in it. The device tells us the Base license has expired. The new license has been renewed - after - the grace period. The Trendmicro site tells us the Base license is valid until 21 october 2013 but the CSC refuses to acknowledge this. The module is able to fetch updates form the Internet so it does not look like a connection problem to me (it also has a plus license which is also valid till far into 2013 and that one works).Is it possible that the current license key is "dead" and the CSC expects a new license key because the grace period was expired?
View 1 Replies View RelatedThe model WS-C3750X-24T-L is only Lan Base. We need this switch to use EIGRP Protocol. Does it exist a License for supportting IP Base o IP Services Feature Set?
View 4 Replies View Relatedwe recently purchased L3 daughter cards (N55-D160L3-V2) for our 5548UPs along with the LAN Enterprise Services licenses (N55-LAN1K9).
I installed the cards and Ent Svcs lic this past weekend and everything went well excep that I couldn't enable the EIGRP feature .. apparently EIGRP requires the LAN Base (N55-BAS1K9-BUN) license even when you have the Enterprise lic installed, so I was able to dig up that license eventually (which comes with the L3 daughter card, incidentally). Another side effect of not installing the Lan Base lic is that the L3 card/module will be in an "offline" state until the Lan Base lic is installed. Either way, everything was working normally in L2 mode at this time.
So, here I was thinking I was ready to proceed with enabling L3 - this morning I installed the LAN Base license on one of the 5548s which apparently triggered the L3 Daughter card module to go active and triggered a switch reboot. Ok, not that big of a deal, knew that was probably coming. I expected the switch to come back up normally .. NOPE. The switch went into a continual reboot cycle where the console prompt would appear, then about 30 seconds later, would reboot again.
I finally ended up re-installing the original L2 card and the switch came right up. I see that LAN Base and LAN Enterprise are both still installed as well.
What have I done wrong here? Why did the switch go into a continuous reboot cycle once I installed the LAN Base license?
Here are more details :
Software
BIOS: version 3.5.0
loader: version N/A
[Code]....
I've just installed ACS 5.1 and noticed that it seems to count managed devices differently than previous versions.
I have a 500 count license which should be fine as I have about 100 devices which will use ACS for TACACS. On ACS 3.x and 4.x, I would set up AAA clients by using a wild card for the subnets that host our routers/switches, say 192.168.1.0/24, 172.16.1.0/24 and 10.1.1.0/24. when I do this with ACS 5, I get a Managed Device Count Exceeded error messasge becasue of the potential of more than 500 AAA clients. It seems to be counting every IP address in the subnet as a managed device, even if there are only a handful actually in use. Is there a way around this short of having to manually enter (and maintain) the exact IP Address of every managed switch and rotuer which will use the ACS server for TACACS?
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
I have 10 user license for Cisco ASA, i have to use this ASA for client connectivity. Can i do NAT of more than 10 users with this license? What i understand is NO.
But as per Below explaination looks like, i can if i am not doing default routing? Actually i just need to add a specific Route towards client DMZ interface on my ASA, no default route, so can i use more than 10 concurrent sessions with this license?