I have a hub and spoke network with over 100 remote sites that connect to me via ipsec vpn. One of these locations, the only one using FIOS coincidently, is initiating 200+ tunnels back to my side which is causing saturation issues on my DS3. (I can post config if requested), and how can I limit the number of active tunnels it's establishing?
View 1 RepliesOn my Pix515E ASDM console I quite often see large surges in the total number of connections. I would like to find a convenient way to see what (or who) is causing this.
The command Show Local gives the answers but it returns details of each connection and I can't see a way to omit the detail. Show Conn Count just gives the total. Ideally I would like to get a summary of the number of connections (TCP/UDP) for each inside host.
On a related matter I have used........
static (inside,outside) 12.34.56.00 2.34.56.00 netmask 255.255.255.0 tcp 400 100 udp 200 ..........to limit the number of connections to a subnet.This works and I see errors in the syslog when the limit is exceeded but when I change the limits and apply the changes, the syslog errors still show the previous limit being reached. How can I make changes to these connection limits take effect (without reloading the Pix)?
Any actual limit on the number of IPSEC SAs that can be negotiated on the crypto module of a 3900 series G2 router? When I issue the command on a 2900 G2,This implies the 2900 series can handle 1800 IPSEC tunnels with an SA used for each direction. All of the documentation and support requests have stated that the crypto module is better than the AIM module in the older series routers but I have been unable to get a concrete answer to the limit.
View 21 Replies View RelatedI thought that in the past I had problems with my ASA5505 because I had to reboot a number of times, now that I have logging enabled I can see the following: -Deny traffic for protocol 17 src inside, licensed host limit of 10 exceeded.Does this mean that I can not have any more than 10 inside host going out of the outside interface at any time, if not what this means and how I can solve it.
View 16 Replies View RelatedI updated an ASA 5505 to 50 users, but I still can only connect 10 hosts. In Licensing it show 50 insides hosts. I also tried to update to ASA 8.4.5 but that did not work.
View 2 Replies View RelatedI have 25 APs 1141 located in ten floor building and connected to WLC 5508 ver 7.4.100.0. After upgrade from wcl 7.0.116.0 few clients start to complain that there are affected by periodic disconnection from wirreless network. It happens twice an hour. In WLC log I noticed some errors on almost every AP:AP with MAC: c4:0a:yy:yy:zz:xx(AP1) radio 0: Associated Clients falls below max limit number:200. Failure Cause:Clear Maximum Client Limit Reached in WLAN..What does it exactly mean? I have no limit per WLAN (it is set to 0), but in WLC 7.4 i must put some limit for numbers of clients per AP and the max is 200. It is not possible that i have 200 users connected to one AP as in 10 floors there are like 150 users maybe. Number of all connected clients right now is 120.
View 7 Replies View RelatedI've looked at the forum posts and the document post, and I understand the explanations. My question is, under system administration>max user session global settings, would setting a timeout (say 1 hour) purge these sessions?
Under access policies, I am not enforcing max concurrent sessions per user, due to some of our devices using a generic log in. But if I understand the explanation, and my understanding might be wrong, then setting an expiry timeout should purge the accounting sessions, right?
How do I keep my wireless network active while the host pc is turned off?
View 10 Replies View RelatedI am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host 4.2.2.2 on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.
View 3 Replies View RelatedWe are using ACS 5.1 and from time to time we are getting a warning saying that the active sessions are over the limit (250000). It is just a warning, so my assumption is that its not a big deal, but how do we keep from getting the event, or prevent the event?
View 2 Replies View RelatedIs it possible to configure WLC so that only one user can connect to wireless network at a time with one login? We have WLC5508 (7.2.103.0) web authentication with LDAP (Active Directory).
View 2 Replies View RelatedI have a GSS 4490 but only want it to be authoratative for certain hosts. Sysadmins don't want to lose control of their DNS records.How do I point active directory to the GSS to look up the host?I need to keep the AD domain as authorative for the DNS records, but to pass on DNS requests to the GSS for certain hosts.
View 2 Replies View RelatedI have recently enabled the SMTP alert function in ACS 5.3. It seems to work well for most of the alerts. One thing though, the active sessions are over limit warning that comes up every so often. I know it is not impacting operations and it is ACS's way of clearing out sessions that had no accounting stop, but how do I disable this alert from being sent by e-mail from ACS 5.3?
View 3 Replies View Relateda number of vlan on trunk is 4096, can I limit this number? I need trunk pass only 10 vlans.
View 1 Replies View RelatedI have a question regarding to the maximmum number of active SSID's on a WLC 5500 with 3500i, it's my understanding that the 3500i can support 16 active SSID's is it the same when connected to the WLC? Also, if possible would the WLC shutdown un-used Radios or maybe after hours?
View 1 Replies View RelatedI am trying to replace a 1751 IPSec VPN that connects a single LAN behind the 1751 to ~45 remote networks behind a single peer. There are a small number of workstations (~50) and low throughput (< 1MBps) across this VPN, the biggest trouble is the number of remote networks needed.
I have tried to connect an ASA5505 Security Plus in place of the 1751 and am able to get Phase 1 and Phase 2 up, except I don't get all of my ipsec sa's and can only pass traffic to some of the remote networks. Does the 25 IPSec limit apply to multiple sa's one one peer, I've only ever seen it spoken of as a 25 peer limit?
We are planing on offering low end ASA 5505s as a customer offer to connect their network to our cloud as this is a business requirment. However, one of my colleagues is convinced that the license for the 5505 is *not* based ont he number of IPSEC endpoints, but the number of distince connections via *any* tunnel. So, according to him, if you have a license for 10 IPSEC endpoints, if you have 11 people connecting via *one* tunnel from a customer's network to our cloud, you go beyond your license.
View 1 Replies View RelatedI have an issue at my work where we are trying to added another computer to our network. We have 3 computers on XP (Included our server) and 7 on windows 7, 10 total.Now I've just tried adding the 11th PC and had no luck connecting to the server, but i do have internet access. I am aware Win7 allows 20 max connections, would we upgrade our server PC to Win7 and leave the other 2 computers on XP will I be able to add this 11th PC? Or do I have to upgrade all the remaining XP machines to win7 to get the result I'm looking for.
View 2 Replies View RelatedI have a cisco 5520 running as IPsec concentrator. On the ASDM homepage is shows like 31 VPN connected. But if I go to Monitor > VPN is show only 18. Then if I use SSH using sh crypto command it shows the same number as on the Monitor > VPN sections. I am running 8.3(1) and ASDM 6.3(1).
View 8 Replies View RelatedWe are having random issues of users not being able to connect to our wireless network consistently. The users will have successfully accessed the network previously but then will have difficulty associating to the network. After a period of time, the association appears successful again. My first thoughts were that there was a restriction on the number of clients that could associate to a given AP at any one time.This is the equipment we have:1x Cisco Wireless Control Server (WCS) 6.0.181.04x Cisco 5508 Wireless LAN Controllers 6.0.196.060x Aironet 1142N Lightweight Access Points (LAP) Is there a hard or recommended maximum number of clients per LAP? If so, where is this defined? From what I have read on these forums, Cisco apparently recommends about 25 clients per AP but I can not find any official documentation to support this.When I go to WCS Home > General > Top APs by Client Count, the top AP reports 20 clients. However, if I click on the AP Name and go to the Current Associated Clients tab, it is only listing 8 clients - why is this?
View 3 Replies View RelatedRV082 - 1.3.2 I need to have RDP and pcAnywhere enabled to a customer site for remote support, but need to limit the incoming IP ranges to only our offices. I have the port forwarding set up and tested working. I then set up rules to deny all traffic on the needed ports and added rules to allow a few IP ranges from our office locations. I even tried a rule allowing all traffic from our main office but that also failed to allow RDP or pcAnywere connections.Now I can no longer connect from any of our remote offices. I followed the limited instructions that I found in another post but its not working.
View 1 Replies View RelatedIs there anyway to limit a user's traffic volume on ASA8.4? if there is, how?
View 3 Replies View RelatedThe address of my server, as a url, not the IP Address. I already have that, and how to find the number of connections allowed by my provider, which is clearwire.
View 8 Replies View RelatedI have a BT Home Hub 3 and quite often get messages "cannot connect to network". I have many (>20) devices connected. Have I reached the limit? With four kids in the house the pressure to connect even more devices is growing.
View 1 Replies View RelatedCurrently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
View 1 Replies View Relatedhow many active TCP sessions my ASA has but having a hard time finding this information. When I do "show conn count" from the CLI it shows what I'm guessing is a sum of both TCP and UDP. Is there any way to get just the TCP connections?
View 3 Replies View RelatedI have been looking for the command to view all concurrent active connections or sessions on our Cisco 2911. I want to see what the total connections or sessions are at peak times throughout the day.
View 4 Replies View RelatedSo yesterday i was sitting at my computer, doing nothing and then the internet shuts off. So i go up stairs to check on the router, and all of the normal lights are on, as well as the modem. Neither the host or wireless computer has internet.I'm able to be on the forums because i hooked my modem up to this computer, without the router.Whenever i set the router back up, it has the normal connectivity lights on, but the wireless computer AND host computet dont get connection. How to get my wireless computer back up through this router, without canceling ALL connection.[CODE]
View 14 Replies View RelatedWhat would be an acceptable number of wireless connections to a WRVS4400N router? I'm working in the IT department for a new company, and one of the offices complains that using VoIP and doing large file transfers are constantly a problem. They are all connecting wirelessly to the WRVS4400N. I managed to vpn in and connect to the web interface of the router, and it shows that there are 30 devices connected wirelessly to it. However, when people plug into the wall jack VoIP and data seem to work fine.I can't find any info on what a best practice would be for number of wireless connections to the router. There's no Vlans setup on it from what I can tell, so that may be my next step, to separate data and voice traffic.
View 2 Replies View RelatedIs there a maximum number of licenses for connections to a 877?The reason I ask is that our routers are managed by a datacentre and when I asked for the login details I was told that I couldnt have them due to licensing reasons with no other explanation.
View 1 Replies View RelatedACE A2(3.4). Is it possible to set a rate-limit connections per sec from any source IP. For example, if a client is trying to GET a web page 10 time per sec I will send a reset or drop that connection.
View 1 Replies View RelatedI'm trying to determine whether Cisco has any equivalent (in any platform) to some of the existing firewall rules within our iptables infrastructure. [code] What this does, is allow port forwards on port 3389/rdp. However, if a single IP opens too many connections within a timeframe, it starts dropping new ones.This is a critical requirements for certain security scenarios, such as preventing RDP brute forcing. A similar principle can be applied to 22/ssh.I've had a look around, rate limiting searches generally land me on QoS based discussions. I've seen people ask similar questions and get referred to CBAC. Whilst I can see similarly worded functions there such as limiting "half open" connections, I don't see anything there that limits the actual number of connection attempts you can make.
View 1 Replies View RelatedI am using asa 5520 and asa 5540 for remote access vpn connections. Is it possible to do active monitoring of my vpn connections so that there would be alerts for vpn tunnels that fail to establish due to other reasons other than user authentication?
View 5 Replies View Related