Cisco Firewall :: ASA 5540 - How Many AnyConnect Users Accommodated With Current Sessions
May 22, 2013I have a ASA 5540 VPN Premium with 2 Client-less licenses.How many anyconnect users can i accommodate with current sessions ??
View 5 RepliesI have a ASA 5540 VPN Premium with 2 Client-less licenses.How many anyconnect users can i accommodate with current sessions ??
View 5 Replieswe have three ASA 5540 with Cisco Adaptive Security Appliance Software Version 8.4(5) Device Manager Version 6.4(9) this devices are only for remote conections (webvpn/ssl-web/anyconnect), and we are having problems with connections anyconnects; are released every 15 seconds, the version anyconnect is 2.3.0254.is there a conflict of versions or a bug that could be picking up??.is there a compability matrix betwen Software Version of ASA and Anyconnect ?
View 2 Replies View Relatedin Cisco ASA 5540 Adaptive Security Appliance Platform Capabilities and Capacities, I see Concurrent Sessions: 400,000. Which mean what device can handle 400,000 session and no more. But if I'm using TCP State Bypass Feature (Inbound traffic pass via ASA but Outbound goes via different device). I can see such connections via show conn command with b flag.
My questions: 1. Will this limit (Concurrent Session) affect in this case? Or ASA can handle more such connections (for example 800,000 ...) in bypass state? 2. It's possible to tune timeout for such connection without using global timeout conn? My problem what I want to do by pass tcp connection for one IP with has very high connection/sec rate.
I'm planning to upgrade Cisco ASA 8.2 to an anyconnect essentials and mobile license. Are there any concerns with some users continuing to utilize the cisco vpn IPSEC client while others migrate to the Anyconnect? I just want to make sure when I upgrade the license that there will not be an immediate requirment to have all users switch to Anyconnect immediately.
View 2 Replies View RelatedWhenever new clients logs on to the network, the network tends to kick out users already logged on to the network.
View 2 Replies View RelatedI am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group.
View 2 Replies View RelatedWe've deployed WebVPN on Cisco ASA 5540 and its working fine with no trouble in relation to connectivity. My Anyconnect VPN users are able to download the client and connect to our corporate network.However, sometimes when I try to connect after entering the credentials it keeps saying Login failed.
View 3 Replies View RelatedI have a ASA 5540+SSM-40 on which I have configured webvpn and it's listening for connections on the outside interface. It can be accessed from outside the network (the internet) and works just fine. The problem is, I want to access it from inside the network as well but it doesn't work. I can't ping or connect in any way to the IP address of the outside interface from inside (so I suppose it's not strictly related to the configuration of the webvpn).
I don't think it's a ACL issue because the only ACL filtering I do is on the OUTSIDE-IN (facing the internet), the rest are set to permit any.
What I have to do to be able to access the IP address of the outside interface from networks behind the inside interface?
I want to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see:aaa-server LDAP protocol ldap aaa-server LDAP (inside) host ldap.com ldap-base-dn DC=x,DC=x,DC=x,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn ***** server-type microsoft ,I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = DomainMember I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
View 2 Replies View Relatedwant to connect with AnyConnect Secure Mobility Client 3.0.2052 to ASA 5540 Version 8.4 and SSL Premium License.The clients using Maschine Certificate to authenticate to ASA. This works fine.
Now I want to setup a DAP to verifiy the client against the Microsoft AD using LDAP. I configured LDAP server in ASA see: [code]I can see that it works if I test the server via the testbotton in ASDM and I see it in CLI "debug ldap 255" also. But if I configure in DAP: AAA Attribute ID:memberOf = Domain Member I can not see any request to the LDAP server during I try to connect with the Client und the DAP doesn't match.
Is it possible to send profile name as an Radius atribute during client authentication? I would like to match users depends on profile name to sperate Identity Stores in my ACS. ASA 5540 8.4, anyconnect 3.1.01065, ACS 5.1
View 3 Replies View RelatedI have an ASA 5540 cluster that is configured as my remote access VPN point. Users connect using IPSEC Profiles with Cert based authentication, the profile is configured to query two DHCP servers (infoblox appliance servers).
The problem I am encountering, is that I need to make reservations on the DHCP server for some users for specific business needs. What happens is that the ASA passes the request to the DHCP server with it's own MAC address and not the MAC of the remote host.
Is there any way I can configure the ASA to pass the request using the hosts actual MAC address?
I have AnyConnect newly configured on my ASA 5550, running 8.2.x code; however, Mac users cannot connect using the Apple client, nor using the Cisco AnyConnect client - they are getting a "posture error" of some kind or the laptop is failing some kind of machine profiling.
View 3 Replies View RelatedI am trying to configure a Cisco ASA 5505 so that users can authenticate via Radius or via a Local account using the Cisco AnyConnect client. In the AnyConnect Connection profile, the basic tab, it has Authentication Method. We have this going to an AAA server group with Use Local if Server Group fails option is checked.Each time, I see where the user has failed while attemtping to log in to the domain via the radius servers and thus bypasses the local user database all together.
View 3 Replies View RelatedI am able to successfully connect to my ASA5505 via AnyConnect via a mobile device. Upon doing so, I lose internet connectivity. My access list appear to be correct to I'm sort of at a loss.
[code]....
I have a weird problem which I have already submitted a TAC ticket about. When users authenticate through AnyConnect into our HQ ASA 5510 they grab an address from 172.16.254.x. What we have been noticing intermittently is that when logged into our network through the client they are unable to access their resources at one of our remote offices which is connected over l2l to the HQ ASA. This problem just started randomly a week ago and we have been working with Cisco trying to create a solution.
My quick fix is logging into a device at the remote office which is trying to be accessed and pinging the gateway of the virtual subnet for AnyConnect users. When I ping 172.16.254.1 it goes through after a few dropped icmp packets and then the issue is resolved for about 8 hours or so.
I am having problems with a customer's ASA 5505 with Anyconnect 3.1 - it is generating captive portal false-alerts which are stopping users from connecting. This issue began when I upgraded from Anyconnect 2.4 to 3.1, and it appears like this: A user downloads and installs the Anyconnect client and is able to connect fine, to begin with. However, once they reboot their computer and try to reconnect, the VPN session will not come up and they receive the error message below."The service provider in your current location is restricting access to the internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser."
Reading other posts, it seems this message appears when a captive portal is restricting internet access. It must be a false alert in this case as there is nothing of the sort here. Apparently, Anyconnect 3.1 can generate a false alert like so if the name of the firewall's SSL certificate doesn't match the CName listed on the Client Profile. I've set this up to match, to no avail. Although users can connect by reauthenticating through the SSL VPN login web page, I am stumped as to how to get rid of this captive portal error that pops up when they try to use the Anyconnect client.
while traversing through Cicso ASA Firewall 5520,VPN sessions are disconnecting.In Accelissts for VPN-Outbound traffic from LAN to Client VPN ,we have allowed all Ports.Is there any inspection Rules are cause for this issue. In ASA Firewall,presently the inspection rules are [code]
View 1 Replies View RelatedIn our organization ,recently we are facing a issue with VPN connections are disconnecting abruptly in reandom time periods ( 5Min,15Min,1Hr also).We have verified in our SysLog .[code] The same was worked well in Cisco Pix 515E Firewall ,After changed to Cisco ASA 5520,it is giving the issue.- All Ports are allowed for outbound traffic with a Source Network 172.16.40.0/24 to their Client VPN.- This issue is giving for other Subnet Users i.e 172.16.33.0/24 to their Cleint VPN sessions & I allowed all Ports for them for Outbound traffic. Any feature in ASA is casuing for terminating the sessions which was not in Cisco PIX 515E.- ASA version is 8.0.
View 2 Replies View RelatedThis is an issue I'm currently exploring with TAC, but I'd like a quick reality check. We have a pair of ASA 5510s in Active/Standby stateful failover mode. In some tests failing over from the active to the standby system breaks SSH connections from hosts on our Inside to hosts on our DMZs.
A specific example is our backup server on Inside which is connecting to our mail server in the DMZ2, and running ssh/rsync/scp for the backups. A running backup job fails with network timeout errors when I trigger the failover. Also, sometimes the mail server loses or hangs on its connection to our LDAP server in DMZ1, although sometimes this connection is fine (DMZ2 is more "inside" than DMZ1, and I assume the LDAP look ups are many short connections, vs the rsync backup being one long connection).
TAC has suggested that open SSH sesions will always fail when the ASAs failover. I believe this is true for management connections to the ASA, but I don't see why it should be the case for an SSH session through the ASA to a server in the DMZ. TAC has suggested that I open some connections to servers in the DMZ and test what happens, and I can do so this Wednesday morning during a maintenance window.But, in general, is this true? That is, given an SSH session from a workstation to a server, should a failover break it? If so, why?
The setup is:
MyWorkStation-INSIDE -> CoreSwitch (vlan 10) -> [ ASA-INSIDE - - (ASA-internal-connection) - - ASA-DMZ ] -> CoreSwitch (vlan 3) -> TargetServer
That is, all our inside VLANs are routed by our core L2/3 switch to a VLAN that connects to the Primary and Secondary ASA's INSIDE ports. There are also seperate VLANS on the core for the ASA's DMZ1 and DMZ2 connections, which go to both ASAs and to any servers in these zones.
The description of the ASA Stateful failover [URL]says: "The state information passed to the standby unit includes these:
· The NAT translation table
· The TCP connection states
· The UDP connection states
· The ARP table
· The Layer 2 bridge table (when it runs in the transparent firewall mode)
· The HTTP connection states (if HTTP replication is enabled)
· The ISAKMP and IPSec SA table
· The GTP PDP connection database
[code]....
I'm not quite sure what the ISAKMP and IPSec SA tables do, but shouldn't an SSH connection through the ASA be just a TCP connection? "For us, SSH from Inside to hosts in the DMZ survives failover," or, "Yah, failover breaks all SSH sessions."
How to schedule automatic Xlate sessions cleaning in ASA5550. I want to clear few global nat sessions manually every week.Is there any way to automate that?
View 1 Replies View RelatedI have an ASA 5520 running version 8.2(1) and I am having an issue with ASDM sessions.I can SSH into the ASA and have tried to clear the sessions but they do not clear as per below.
largoGW# sh asdm session0 dguselnx1 dguselnx2 dguselnx3 dguselnx4 dguselnxlargoGW# confi tlargoGW(config)# asdm disconnect 0largoGW(config)# asdm disconnect 1 largoGW(config)# asdm disconnect 2largoGW(config)# asdm disconnect 3largoGW(config)# asdm disconnect 4largoGW(config)# exitlargoGW# sh asdm session0 dguselnx1 dguselnx2 dguselnx3 dguselnx4 dguselnxlargoGW#
An interesting point: the host dguselnx is my linux based computer that I am using to SSH to the ASA. I do not connect via ASDM from this device so it is strange that the hostid for the asdm sessions is showing as my linux host and not my Windows laptop (that I am trying to connect via ASDM from).
I have FWSM running version 3.2(23) , configured with interface vlans , all having the same security level , except outside interface vlan which has security level 0 , also same-security-traffic permit inter-interface and same-security-traffic permit intra-interface are configured, my problem is when establishing sessions (I tried TCP only using ssh and telnet , in addition of ping ) from one specific vlan (172.16.1.0/28) to other vlan (172.16.1.16/28) , I can not see the established sessions in "show xlate debug" output ! although I can see these sessions from capture ! the two subnets are separate , two different /28.
I can see the session established from the remaining interface vlans with same security level toward 172.16.1.16/28 , my question is what is the exception with vlan having this subnet172.16.1.0/28, how it can reach other vlan with subnnet 172.16.1.16/28 without showing anything in xlate table ? do you thing it is bug ?
I have an AT&T Router that is my gateway to the internet, I have no access to it. I do have the inside ip address of it which is on my private LAN. Just for shiggles we will call it 10.25.240.1 255.255.248.0. That is my gateway address for all of my current devices.I have this shiny new ASA that I want to throw in there to eliminate a proventia and a sidewinder.
The diagram shows two stacks, these are my virtual server clusters with 3560X switches with the vlans configured, and several more switches all configured with vlan 832, connected to a 2950, which is connected to my internal 2600 router. I have 4 Vlans running on 4 different ip ranges, all controlled by the internal router, with only one vlan, let's say 832 that is trunked to the outside world. That vlan has 172.16.1.x 255.255.0.0 network attached to it. All is well, and traffic is routing behind the internal router, but I cannot seem to figure out how to get the traffic to pass thru the ASA. [code]
I have DSL, a firewall, patch panel and hubs.The network was already in place by three previous techs. I am not sure how the current setup is done there is no configuration map.The users in office 1 are all connected to a patch panel that then connects to hubs The second office users connect to a hub that then connects to the patch panel then connects to another hub.The internet is connected to a router that will be replaced with a firewall. Should it be setup like thisdsl modem > firewall > patch panel > hubs > Nodes
View 3 Replies View RelatedI need to know if I can pull Netflow style data (Top Talkers, Top Sessions, etc) from ASA 5505s? We are looking at buying some but I need to be able to export this kind of data to my managment station which is also a collector. I have read on this forum that 8.2 and above should support Netflow but I have read conflicting information.
View 2 Replies View Relatedwe have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.Site/Subnet A: 192.160.0.0 - local (8.4(4)) Site/Subnet B: 192.260.0.0 - remote (8.2(5)) VPN Users: 192.160.40.0 - assigned by ASA When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.
Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.There are also some weird NAT rules that I am not happy with that were created after I upgraded Site A ASA to 8.4
Site A internal: 192.160.x.x External: 55.55.555.201(main)/202(mail)
Site B (over site-to-site) is 192.260.x.x External: 66.66.666.54(all)
I pretty much just have the basic NAT rules for VPN, Email, Internet and the site-to-site.What do I need to add for the VPN to be able to access the site-to-site network?
Here is my NAT config:
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (inside,Outside) source static DOMAIN_LOCAL DOMAIN_LOCAL destination static DOMAIN_REMOTE DOMAIN_REMOTE no-proxy-arp route-lookup
!
object network DMZ_Network
nat (DMZ,Outside) dynamic interface
object network DOMAIN_LOCAL
[code]....
I have an ASA 5520 with a DMZ with private addresses that I SNAT to my outside network. From inside the DMZ I can reach servers by both the internal private IP and the public IP, except if the IP is from the server trying to connect. So, say I have server1 and server2. I can connect from server1 to server 2 with both public and private, but can't connect from server1 to server1' using the public IP. ASA logs show that packets are being denied due to land attack. DNS doctoring is not an option for me.
View 1 Replies View RelatedIs there any way of showing the currently assigned ip address for an interface configured to use DHCP on an ASA 5505?
View 2 Replies View Relatedwe have a pix 515E firewall with software version Cisco PIX Security Appliance Software Version 7.0(4) and ASDM version Device Manager Version 5.0(4). we are in a process of upgrading the software. Kindly suggest the software and ASDM version most fit for the device. Also the software should be compatilbe for the current configuation running.
View 3 Replies View RelatedHow are asa5540 in high availability mode upgraded for their versions.
View 1 Replies View RelatedI am encountering some problems setting up my new polycom hdx 8000 behind ASA 5540?I have opened reuired ports through the firewall ( incoming and outgoing). I have enabled inspection h323 on ASA and enabled the option NAT is 323 compatible on Polycom.
3230-3243 tcp
h323 tcp
h323 udp
3230-3285 udp
Here is the problem.I get connected to the call but I cannot the remote site cannot see and hear me.But I can see and hear them.
i need to upgrade ASA 5540 from 7.1 to 8.4 for secure connect feature of Cisco Jabber Configuration. Support forum guides that, i need to follow upgrade path from 7.1 --> 7.2 --> 8.0 --> 8.2 -->8.4 and also do a memory upgrade from 1GB to 2GB.
[URL]
I need to use this feature for only three or maximum four users in company then would i really need to do memory upgrade? or can i go with 1GB memory?also how i can get the prices of part number "ASA5540-MEM-2GB=" at cisco.com?
ASA-ISB-HQ# sh version
Cisco Adaptive Security Appliance Software Version 7.1(2)
Device Manager Version 5.1(2)
[Code].....