Increase Simultaneous VPN Logins on Cisco ASA

Posted on in Networking

In most VPN setups, each VPN user is given unique login credentials. Very rarely, you might run into a situation where a group of individuals is going to be sharing a set of credentials. For example, you might assign VPN credentials to another company for temporary access to part of your network. If you run into this situation, you should be aware that the default maximum simultaneous logins allowed on a Cisco ASA is three. Fortunately, this isn't the absolute maximum, just the default.

If you're running into this problem, you should see the following error in your error logs:

%ASA-4-113019: Group = GUEST, Username = fred, IP = 192.168.117.124, Session disconnected. Session Type: , Duration: 20h:43m:15s, Bytes xmt: 27814773, Bytes rcv: 7264654, Reason: Port Preempted 

An ASA-4-113019 log message is generated every time a VPN client disconnects. The key to deciphering this problem is the reason: Port Preempted. This means the same user has logged in too many times. In order to increase the maximum number of simultaneous logins, a change needs to be made in the group policy the user is using. In order to allow our user "fred" to connect more than three times, we'll need to add the following line to the appropriate group policy, in this case GUEST.

group-policy GUEST attributes
 vpn-simultaneous-logins 4

Now, any user in the GUEST group can login up to four times before getting automatically disconnected.

My Bookshelf

Reading Now

Other Stuff