Though past the end-of-life announcement, the Cisco ASA 5505 is still a common router to see. I feel as though just yesterday I was installing them regularly. Today I’m recommending their replacements. Gosh, I feel old…
Anyway, the ASA5505 came with a base license that was – essentially – a total turd. Sure, it has the awesome ASA feature set, but it came with a limitation of 10 users and 1 LAN (and a DMZ, but you weren’t allowed to route traffic between them openly). But it was cheap and has the Cisco name on it and as such, many users bought them. Later on, they’ll add a printer, a credit-card machine and a little file server and boom – they’re over a long-forgotten limitation of ten hosts.
If you have a number of machines on a LAN that experience intermittent connectivity with the outside world (and one PC you test from never seems to go down), that’s because the Cisco has hit the license limitation for network hosts and is preventing other machines from getting online.
Enable console or buffered logging at (I believe) a debug level and check for messages like this one I stole from another blog:
11:29:05 450001 18.104.22.168 80 Deny traffic for protocol 6 src outside:22.214.171.124/23580 dst inside:126.96.36.199/80, licensed host limit of 10 exceeded
You can also issue a show local-host command to see the host limit and current host count:
someones-asa-5505# show local-host Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 12, towards licensed host limit of: 50 [...]
There’s also the show activation-key command to see what you’re licensed for:
someones-asa-5505# show activation-key Serial Number: ABC1234ABCD Running Activation Key: [Redacted] Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 20, DMZ Unrestricted Inside Hosts : 50 Failover : Active/Standby VPN-DES : Enabled VPN-3DES-AES : Enabled SSL VPN Peers : 2 Total VPN Peers : 25 Dual ISPs : Enabled VLAN Trunk Ports : 8 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has an ASA 5505 Security Plus license.