The Woes of a Base Cisco ASA License

Though past the end-of-life announcement, the Cisco ASA 5505 is still a common router to see. I feel as though just yesterday I was installing them regularly. Today I’m recommending their replacements. Gosh, I feel old…

Anyway, the ASA5505 came with a base license that was – essentially – a total turd. Sure, it has the awesome ASA feature set, but it came with a limitation of 10 users and 1 LAN (and a DMZ, but you weren’t allowed to route traffic between them openly). But it was cheap and has the Cisco name on it and as such, many users bought them. Later on, they’ll add a printer, a credit-card machine and a little file server and boom – they’re over a long-forgotten limitation of ten hosts.

If you have a number of machines on a LAN that experience intermittent connectivity with the outside world (and one PC you test from never seems to go down), that’s because the Cisco has hit the license limitation for network hosts and is preventing other machines from getting online.

Enable console or buffered logging at (I believe) a debug level and check for messages like this one I stole from another blog:

11:29:05 450001 24.106.9.206 80 Deny traffic for protocol 6 src outside:216.81.128.197/23580 dst inside:24.106.9.206/80, licensed host limit of 10 exceeded

You can also issue a show local-host command to see the host limit and current host count:

someones-asa-5505# show local-host
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
Current host count: 12, towards licensed host limit of: 50
[...]

There’s also the show activation-key command to see what you’re licensed for:

someones-asa-5505# show activation-key
Serial Number: ABC1234ABCD
Running Activation Key: [Redacted]

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : 50
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 25
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has an ASA 5505 Security Plus license.