In most VPN setups, each VPN user is given unique login credentials. Very rarely, you might run into a situation where a group of individuals is going to be sharing a set of credentials. For example, you might assign VPN credentials to another company for temporary access to part of your network. If you run into this situation, you should be aware that the default maximum simultaneous logins allowed on a Cisco ASA is three. Fortunately, this isn't the absolute maximum, just the default.
If you're running into this problem, you should see the following error in your error logs:
%ASA-4-113019: Group = GUEST, Username = fred, IP = 192.168.117.124, Session disconnected. Session Type: , Duration: 20h:43m:15s, Bytes xmt: 27814773, Bytes rcv: 7264654, Reason: Port Preempted
An ASA-4-113019
log message is generated every time a VPN client disconnects.
The key to deciphering this problem is the reason: Port Preempted
. This means
the same user has logged in too many times. In order to increase the maximum number
of simultaneous logins, a change needs to be made in the group policy the user is
using. In order to allow our user "fred" to connect more than three times, we'll
need to add the following line to the appropriate group policy, in this case GUEST
.
group-policy GUEST attributes
vpn-simultaneous-logins 4
Now, any user in the GUEST group can login up to four times before getting automatically disconnected.