Its not a matter of if — its a matter of when. Anyone whose worked on an ASA will eventually (if no properly planned) fine themselves tshooting a issue that isnt broke at all.

1381146589000-DMV-Veteran-LicenseBTW — these new licenses are nasty! I just got my new one in and I prefer the older style!

This situation I ran into with an ASA that users would randomly say they couldn’t VPN into the box using their AnyConnect. Blame was placed on the AAA DC that was authenticating the users. Sometimes they server team would reboot the DC and “magically” things worked again. But for weeks I got complaints that users couldn’t login.

Worse, this box was over in China. So when users are trying to VPN in, I’m fast asleep. There goes my ASDM Log Viewer.

One thing I would recommend aside from a shop having Netflow is a good syslog server. Even get a free one just to get logs when your looking at a box long term. This way, you don’t run into a tshooting scenario where you an issue is random and you dont need to babysit the logs. Of course you could increase the log buffer but I’d rather send to a syslog server to catch everything.

Around 12 AM I found this in the logs of the ASA…

%ASA-4-113029: Group <GroupPolicy_ChinaVPN> User <john.chambers> IP <171.131.251.51> Session could not be established: session limit of 27 reached.

Hmm I didnt see this when I originally saw the logs hours later (due to the logs being overwritten). Thanks to my syslog server I saw this.

Due to my curiosity, I stayed up late enough to catch the evils of licensing at work…

China-FW#sh vpn-sessiondb
—————————————————————————
VPN Session Summary
—————————————————————————
Active : Cumulative : Peak Concur : Inactive
———————————————-
AnyConnect Client            :     27 :       1900 :          27 :        0
SSL/TLS/DTLS               :     27 :       1900 :          27 :        0
Clientless VPN               :      0 :         22 :           4
Browser                    :      0 :         22 :           4
Site-to-Site VPN             :      1 :         11 :           2
IKEv1 IPsec                :      1 :         11 :           2
—————————————————————————
Total Active and Inactive    :     28             Total Cumulative :   1933
Device Total VPN Capacity    :    250
Device Load                  :    11%
—————————————————————————

—————————————————————————
Tunnels Summary
—————————————————————————
Active : Cumulative : Peak Concurrent
———————————————-
IKEv1                        :      1 :         11 :               2
IPsec                        :      9 :      51205 :              10
Clientless                   :      0 :         22 :               4
AnyConnect-Parent            :     27 :       1900 :              27
SSL-Tunnel                   :     27 :       4094 :              27
DTLS-Tunnel                  :     26 :       3306 :              27
—————————————————————————
Totals                       :     90 :      60538
—————————————————————————

Right here I saw the Anyconnect was maxing out at 27 users.

Another command one can use is the #sh vpn-sessiondb detail anyconnect

Username     : john.chambers             Index        : 2030
Assigned IP  : 10.12.253.58           Public IP    : 111.201.181.161
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : RC4 AES128             Hashing      : none SHA1 SHA1
Bytes Tx     : 197157800              Bytes Rx     : 82894488
Group Policy : GroupPolicy_ChinaVPN
Tunnel Group : ChinaVPN
Login Time   : 08:33:26 UTC Tue Sep 23 2014
Duration     : 7d 2h:29m:06s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

This will show all users connected via AnyConnect.

The fix? We ended up having to order more licenses for the box since were capping. The box in question was a ASA 5510 which according to the data sheet we could max out at 250 licenses.

http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html#wp2125486

*scroll down to your model and look at AnyConnect Premium Peers*

To view what you currently have, go to #sh ver on your box. You’ll see a big laundry list. To find out what each does, do a quick google search or pickup Cisco Press’s Cisco ASA 3rd edition.

 

 

William Zambrano

William Zambrano

NYC networkers is run by William Zambrano, a passionate network engineer who has been in the IT industry for eight years who posts up blog articles, YouTube videos, and holds meetup.com events in the NYC area. He lives in Queens, New York and has consulted in various different companies in the NY area. Previously William worked as a Cisco Certified Systems Instructor (CCSI) but now currently works for Arista Networks serving as a Systems Engineer. William can be reached by email at willzambrano@gmail.com

More Posts - Website

Follow Me:
Twitter