Have you ever had a site where you had an ASA with 10 or 50 user licenses, and they were really close to the user license count? I have, several times. You get some users who cant 'get on the Internet'. This IP phone doesnt work anymore (cant stay registered). Any number of things you could hear.
So how do you know for sure if you are over that license limit? Good question.
Do the following command below, and keep in mind that this is concurrent connections.
.5505# sho local-host
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
Current host count: 48, towards licensed host limit of: 50
Interface outside: 44 active, 209 maximum active, 0 denied
local host: <111.221.74.13>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 1/unlimited
Conn:
UDP outside 111.221.74.13:40016 inside 192.168.104.28:15197, idle 0:01:41, bytes 170, flags -
local host: <91.190.216.61>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
... the rest is deleted for brevity...
This helps to know where you are in the user usage. No one wants to count devices.
And, if you are close and need to run the timer down from the default 3 hours, you can do the following (if people are coming and going, like a guest to the network that just pushes you over that license limit).
This is the default:
timeout xlate 3:00:00
This is what you can do to run the timeout to 5 minutes:
timeout xlate 0:05:00
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.