ASA/PIX VPN

Post Reply
camelot
Site Admin
Posts: 99
Joined: Thu 17 Jul, 2008 18:41
Contact:

ASA/PIX VPN

Post by camelot » Mon 06 Mar, 2017 15:44

In most VPN setups, each VPN user is given unique login credentials. Very rarely, you might run into a situation where a group of individuals is going to be sharing a set of credentials. For example, you might assign VPN credentials to another company for temporary access to part of your network. If you run into this situation, you should be aware that the default maximum simultaneous logins allowed on a Cisco ASA is three. Fortunately, this isn't the absolute maximum, just the default.


If you're running into this problem, you should see the following error in your error logs:

Code: Select all

%ASA-4-113019: Group = GUEST, Username = fred, IP = 192.168.117.124, Session disconnected. Session Type: , Duration: 20h:43m:15s, Bytes xmt: 27814773, Bytes rcv: 7264654, Reason: Port Preempted 
An ASA-4-113019 log message is generated every time a VPN client disconnects. The key to deciphering this problem is the reason: Port Preempted. This means the same user has logged in too many times. In order to increase the maximum number of simultaneous logins, a change needs to be made in the group policy the user is using. In order to allow our user "fred" to connect more than three times, we'll need to add the following line to the appropriate group policy, in this case GUEST.

Code: Select all

group-policy GUEST attributes
 vpn-simultaneous-logins 4
Now, any user in the GUEST group can login up to four times before getting automatically disconnected.

Post Reply