Any method to determine the maximum number of concurrently used SSL VPN licenses (sessions) on an ASA5540 over a period of time? For instance, over a week, the MAXIMUM number of concurrent users that were utilizing SSL licenses on the box. We are trying to determine current license capacity of the device.
We are running 8.2(5) on the ASA itself, and have 6.47 ASDM deployed.
We have configured our ASA5540 in active-standby failover.We are observing that current active session count is twice of session count before configuring HA. Earlier average active session was 50000 and now after HA it is around 100000. Failover configuration of both firewall are as follows
failover
failover lan unit primary
failover lan interface FOLan GigabitEthernet1/0
failover polltime unit 15 holdtime 45
failover replication http
failover link StateLink GigabitEthernet1/1
failover interface ip FOLan 10.3.3.1 255.255.255.0 standby 10.3.3.2
[code]....
In previous LMS versions the DCR could hold more devices then the licenses of the other other applications permitted and using the "user defined fields" we have used it as a general device repository for some customers, pushing only the supported cisco devices to the various applications.In LMS 4 cisco has removed all allocation possebilities from the various applications and replaced it by an all or nothing type of allocation.Does this now mean that any entry in the DCR is automatically counted as a used device license?
View 1 Replies View RelatedI wish to purchase Cisco Prime LMS 4.1, particularly Cisco part # R-LMS-4.1-500-K9 which support 500 Cisco nodes.We have about 360 Cisco switches/routers/ASA/FWs/WLCs so the 500 nodes license would seem to suffice for now & for future growth.We also have about 200 lightweight APs that are managed & monitored by our WLC/WCS/Navigator environment.According to the device support documentation for LMS, it supports and I assume will auto-discover these APs.Does that mean these APs will use up node licenses on LMS even though management of the APs is done by WLC/WCS? If so is there an easy way to suppress discovery of APs by LMS so we don’t have to purchase extra node licenses for LMS? Or, does LMS offer additional support features for wireless APs not already offered by WLC/WCS/Navigator?Just trying to understand how many network node licenses for LMS I have to purchase.
View 3 Replies View RelatedAt the end of the day I simply need to upgrade the license on my ASA 5505 v7.2.4 (upgrade will come later as part of a larger project) to allow for >10 Inside Hosts. From what I've read there seems to be a 50 license upgrade out there. Can this be purchased directly? From whom? Will it only affect the Inside Hosts number and not affect any other licenses, configurations, etc. Just being overly cautious since this is way outside of my normal realm. Below is the current activation-key information....
Result of the command: "show activation-key"
Serial Number: xxxxxxxxxxxxxx
Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
Getting the following alarm from my ISE:Cause:Base License Enforcement Details: Base concurrent users exceed license allowable count.Currently only using 1656 out of 2000 base licenses so I'm not sure what the issue is. Running 1.1.2.145 patch 3.
View 1 Replies View RelatedCan I bind SSL license key from 1 ASA to another , we recently got 5540 and i want to use my SSL 5510 license on the new firewall
View 1 Replies View RelatedWhat's the difference between VPN Plus license and Security Plus license. I have new 5520 shipped with VPN Plus license.Also does it require a seperate license for Anyconnect for Mobile and AnyConnect Essentials.
View 1 Replies View RelatedI’m stuck in some problem with installation of LMS4.0 in customer site.
- we purchase a LMS4.0(CWLMS-4.0-100-K9) but couldn’t install it on Windows server 2008 R2 64bit because those things don’t support each other.
- I need to upgrade the LMS4.0 to LMS4.2 that is supporting Windows server 2008 R2 64bit.
- So, I ordered following items via product update tool (url...) [code]
- In this status, how to install LMS4.2 with license for 100 devices? If I install R-PI12-BASE-K9 first, can i enter a licese for 100 devices for CWLMS-4.0-100-K9 into PI1.2?
ASA v 8.2What does the ACL hit count count ? I always thought that the acl hitcount counted the numbers of packets hitting that line in the ACL, however that is not the case. if I setup a icmp permit rule then that will only increment 1 even if I send 4 packets that hits the line. udp and tcp seems to do the same. is there some way I can make the ACL actually count the packets that hits ? where can I learn more about this ?
View 4 Replies View RelatedI have several working VPNs between ASAs 8.4 and 8.3The way this was set up is with cryptomaps that match whole subnets and ACL on the outside interface to permit from/to the RFC 1918 addresses.I notice that the hit count is zero on these rules and so I wonder if they are actually necessary or doing anything.If they are not where can an acl be applied to restrict the VPN traffic? Outbound on the inside interface?
View 1 Replies View Relatedwe are running WCS 7.0.164.3 and wonder whether is there any reporting option availabel that can give us daily report on Top 50 or Top 100 APs by client count.
I know that I can look at the client tab under WCS home page and see the top 5 APs by client count on real time.In our environment we have around 700 APs and would like to know by having this kind of report which APs are mostly hit ?
I have a recent new install of Cisco Works and all is working fine. My issue is with a feature that doesn't seem to be present. When I create a report to ccheck on sys logs the report returns all sys log whether they are repetitive or not. Is there a way to have a same sys log error come back with a number of ocurences?
the feature doesn't show up when I create a custom report?
We have a ASA 5510 (v8.2.2 with ASDM 6..4.7, 256Mb mem) with a license for 250 VPN Peers. The machine has currently one site-to-site VPN active. I've added a remote-access IPSec VPN for some users but when connecting from the remote site the connection is dropped and the ASA reports %ASA-4-713239 Tunnel Rejected : The maximum tunnel count allowed has been reached.
I've searched for info relating to this message but I found none. Before I plan a restart (it's up for 222 days), is there something I could do on CLI to fix this ?
I've got Cisco 7609 with WS-X6708-10GE (8x10Ge)And one port (te9/4) from it have zero bit rate counters, but all the rest of it are very good.I can see traffic if read it by SNMP. [code]
View 1 Replies View Related" Galileo interrupt: PC10 retry count expired "This error keeps flooding in terminal window so it is impossible to even try to work via consol.With google search, closest thing ive come up to is that this is a faulty with the CPU cache, and that no workaround is available, thus this unit is pretty much destroyed.I am just long-shooting here and wonders if anyone here knows anything more about this before i throw the card in the trash-bin?
View 4 Replies View RelatedWe are running a ASA5520 with system image of "disk0:/asa843-k8.bin". I'm also running ASDM ver: 6.4(7)So my question is while I'm in the ASDM on the configuration of the firewall, I'm looking at the Access Rules. When I do a show log on any of the rules that have hit counts on them, it opens up a Real-Time Log Viewer but I don't see any information. It's not showing anything, nothing appears, it just sit's there like it's waiting but no data is coming. Even though if I go back out to all the rules, I can see the hit count incrementing. The same thing happens no matter which rule I pick with hit counts on them.
View 1 Replies View RelatedI recently upgraded our head end ASA5510 at our datacenter from 8.2.1 to 8.4.5. The ASDM was also upgraded from 6.2.1 to 7.1.(1)52. Under the old code, a remote ASA5505 connected via Easy VPN Remote showed 1 IPsec tunnel. However, after the upgrade, it shows 42 sessions. It would seem to me that each split tunnel network defined in the Easy VPN profile is being counted as a tunnel. Is it possible that I may have something misconfigured now that the code is upgraded?
View 6 Replies View RelatedOnly fifteen users are allowed to connect on the WLAN Controller WLANs provided on the 600 series at any one time. A sixteenth user cannot authenticate until one of the first clients de-authenticates or a timeout occurred on the controller. Note: This number is cumulative across the controller WLANs on the 600 series. For example, if two controller WLANs are configured and there are fifteen users on one of the WLANs, no users will be able to join the other WLAN on the 600 series at that time. This limit does not apply to the local private WLANs that the end user configures on the 600 series designed for personal use and clients connected on these private WLANs or on the wired ports do not affect these limits. This is from the Configuration Guide for teh 600 series Office Extend AP. Is this count per AP or total per WLC? If I have 10 APs deployed to our remote users, can each AP support two simultaneous users? Would I need to use separate WLANs for each OEAP?
View 8 Replies View RelatedCreated two 6509s as VSS with just one 10gb connection?I know it is recommended to use both the 10gb connections on the sup-720 from below configuration guide
"
Information about VSL Topology
#
A VSS contains two chassis that communicate using the VSL, which is a special port group. Configure both of the 10-Gigabit Ethernet ports on the supervisor engines as VSL ports.
"
But will the VSS come up if I use just the one?
I'd like to know your experience regarding how client count affects performance.
What I have seen in a university network, with a very high client densiity, using 3500 APs, is that around 55 clients ping reply time gets over 200 ms; around 60 users there's packet loss; then, as CC increases, somewhere between 60 - 70 the service gets totally lost. Off course, this depends on bandwidth consumption per user, interference, etc.
Also, I'd like to know what we could expect from 802.11ac regarding this topic. Is there any information on tests, or some estimation already published?
I have an environment of Cisco 5508 Wireless Controller and 1142N Access Points. I have a problem with the ratio of concentration of clients connecting to Access points in floors.
Recently I have been turning off 802.11a on the access points and I am seeing increase in client count in a few of acces points.What is the maximum client count supported by these access points and how do i ensure they are distributed evenly on access points?
I've just installed ACS 5.1 and noticed that it seems to count managed devices differently than previous versions.
I have a 500 count license which should be fine as I have about 100 devices which will use ACS for TACACS. On ACS 3.x and 4.x, I would set up AAA clients by using a wild card for the subnets that host our routers/switches, say 192.168.1.0/24, 172.16.1.0/24 and 10.1.1.0/24. when I do this with ACS 5, I get a Managed Device Count Exceeded error messasge becasue of the potential of more than 500 AAA clients. It seems to be counting every IP address in the subnet as a managed device, even if there are only a handful actually in use. Is there a way around this short of having to manually enter (and maintain) the exact IP Address of every managed switch and rotuer which will use the ACS server for TACACS?
We use WLC 5508 with 7.4. We tried to set max allowed clients per AP radio to 30 through GUI. We have APs with 80 clients associeted though.
When entering config wlan max-associated-clients max-clients wlan-id we got
"WLAN/Guest-Lan/remote-lan is enabled. disable to configure max associated clients."
GUI doesn't show that message, should it? In GUI, Is it necesary to disable WLAN before too?
I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.
View 1 Replies View RelatedA Network Lab (governmental) did not let our cisco 2960s switches to be imported to the country and said "according to my lab tests, the maximum mac that your switch can learn is about 500 but as cisco says it should be about 8000"
they did not give me their software but i like to test it myself
Is there a software which generates thousands of MAC and inject them into switch to test the real amount shown in show mac count ?
I have encountered an error while creating the new poller by selecting the interfacerror template.
Is it the license limitation?? if license limitation how can i find out the current devices count in the performance monitor page?
I need to count the bytes for some interesting traffic crossing the firewall in ASA 5500. Packet Capture is so far as I need, cause I only need the number of bytes during a long time for about 3 months (source host - destination host)
capture capin type raw-data access-list cap buffer 33554432 interface inside circular-buffer [Capturing - 33553570 bytes]
I need to get only the exactly amount of "33553570 bytes" The pcap file is not needed
I am having some question around Prime Infrastructure..Does a general document exists regarding the licensing count of monitored devices ? Indeed I am wondering about the specific points. Is it true that :
- A 3750 stack unit count as one (for example a 4 units stack consumes 4 license) ?
- A WLC (except 5500) does not consume a license but only the Lightweight APs.
- An autonomous AP does not consumes a Lifecycle licence ?
Our customer get the problem that the switch count the 5mins input/output rate of connected traffic interface always ZERO.The problem only occur in the module 3,4 and 5 interface, module 2 has no problems.
-------------------------------------------------------------------------------------------------
Catayst 4506E
12.2(52)SG
Chassis Type : WS-C4506-E
Power consumed by backplane : 0 Watts
Mod Ports Card Type Model Serial No.---+-----+--------------------------------------+------------------+-----------1 6 Sup 6-E 10GE (X2), 1000BaseX (SFP) WS-X45-SUP6-E 2 48 10/100/1000BaseT (RJ45) WS-X4548-GB-RJ45 3 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E 4 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E 5 48 10/100/1000BaseT (RJ45) WS-X4648-RJ45-E
[code]....+
If there is a router ISRG2 2900 with SEC license and without HSEC license, there is a limit in count of cumulative encrypted VPN tunnels of 225. Which commands can show us a number of current tunnels on the router, so we can see if we are near this limit of 225?
View 4 Replies View RelatedI have issue with ipsec vpn between Cisco 1841 & Cisco asa5500, packets are getting encrypt on both end but both end the decrypt count is 0.
View 7 Replies View RelatedI have a Cisco ASA 5540 running 8.2(5). When I dial a phone on the other of the the VPN the first time I get a blank after it rings(i.e when the voice mail get activated if someone picks the phone up), however works the second and consequent times i dial.
A little background. Two sites A and B connected via IPsec Tunnel. No problems in communication except for the VoIP issue. A Phone in on site A(172.17.168.x) and other on site B(192.168.103.x). Site A and Site B is connected via an IPsec tunnel on the Cisco ASA. First call fails. Second call works. Result of a packet trace is also the same. The UDP packet get drops when tried for the first time but subsequent ones pass.
First time
ASA5520# packet-tracer input inside udp 172.17.168.95 10000 192.168.3.103 10000
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
[code].......