Guest

Preview Tool

Cisco Bug: CSCvu69735 - ENH: Increase the 8 IP address limit per user identity

Last Modified

Jun 22, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.12(4) 9.14(1)

Description (partial)

Symptom:
From the VPN perspective, we allow a single VPN user to connect to the firewall up to 2147483647 times:
 
   group-policy GP_AC attributes
      vpn-simultaneous-logins 2147483647

    ASAt(config-group-policy)# vpn-simultaneous-logins ?
    group-policy mode commands/options:
       <0-2147483647>  Maximum number of simultaneous logins allowed, enter 0 to
                   disable login and prevent user access
 

However after the 8th session, the firewall will start displaying the following error:

      %ASA-7-746012: user-identity: Add IP-User mapping x.x.x.x - LOCAL\username Failed - Maximum per user address limit reached


This error is being displayed because the Identity Firewall feature has a limit of 8 IP address per user identity:
'Each user identity in a domain can have up to 8 IP addresses.'
https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/firewall/asa-914-firewall-config/access-idfw.html#ID-2136-00000067

From the VPN perspective, there is nothing failing after the 8th session as the VPN tunnels establish and the IP address assignment works. The only thing that will fail is the we won't enter the records on the IP-user mapping table used for Identity Firewall, which is seems that the only benefit is to display the name of the user along with the IP address on the logs (it does not seems to be an impact on the functionality, but only in the display of the logs)

This is an ENHANCEMENT REQUEST to increase the limit of this table so we match with the limit of the "vpn-simultaneous-logins" to maintain the consistency on all our tables.

Conditions:
Same user connecting more than 8 times to the firewall (more than 8 sessions).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.