Field Notice: FN - 70467 - ASA Software - AnyConnect Connections Might Fail With TCP Connection Limit Exceeded Error - Software Upgrade Recommended

Available Languages

Updated:February 26, 2020

Document ID:FN70467

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	29-Jan-20	Initial Release
1.1	27-Feb-20	Updated the Products Affected and Defect Information Sections

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Adaptive Security Appliance (ASA) Software	9	9.0.1.ED, 9.0.1.SMP.ED, 9.0.2.ED, 9.0.2.SMP.ED, 9.0.3.ED, 9.0.3.SMP.ED, 9.0.4.ED, 9.0.4.SMP.ED, 9.1.1.ED, 9.1.1.SMP.ED, 9.1.2.ED, 9.1.2.SMP.ED, 9.1.3.ED, 9.1.3.SMP.ED, 9.1.4.ED, 9.1.4.SMP.ED, 9.1.5.ED, 9.1.5.SMP.ED, 9.1.6, 9.1.6.SMP, 9.1.6.SMP.ED, 9.1.7, 9.1.7.SMP, 9.10.1, 9.12.1, 9.12.2, 9.12.3, 9.13.1, 9.2.1.ED, 9.2.1.SMP.ED, 9.2.2.4, 9.2.2.4.SMP, 9.2.2.ED, 9.2.2.SMP.ED, 9.2.3, 9.2.3.SMP, 9.2.4, 9.2.4.SMP, 9.3.1.SMP, 9.3.2, 9.3.2.200, 9.3.3, 9.4.1, 9.4.1.150, 9.4.1.152, 9.4.1.200, 9.4.1.225, 9.4.2, 9.4.2.145, 9.4.2.146, 9.4.3, 9.4.4, 9.5.1, 9.5.1.200, 9.5.2, 9.5.2.1, 9.5.2.11, 9.5.2.2, 9.5.2.200, 9.5.3, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.7.1, 9.8.1, 9.8.2, 9.8.3, 9.8.4, 9.9.1, 9.9.2, 9.9.2.235
NON-IOS	Adaptive Security Appliance (ASA) Software	Interim	9.0.2 Interim, 9.0.3 Interim, 9.0.4 Interim, 9.1.1 Interim, 9.1.2 Interim, 9.1.3 Interim, 9.1.4 Interim, 9.1.5 Interim, 9.1.6 Interim, 9.1.7 Interim, 9.10.1 Interim, 9.12.1 Interim, 9.12.2 Interim, 9.12.3 Interim, 9.13.1 Interim, 9.2.2 Interim, 9.2.3 Interim, 9.2.4 Interim, 9.3.1 Interim, 9.3.2 Interim, 9.3.3 Interim, 9.4.1 Interim, 9.4.2 Interim, 9.4.3 Interim, 9.4.4 Interim, 9.5.1 Interim, 9.5.2 Interim, 9.5.3 Interim, 9.6.1 Interim, 9.6.2 Interim, 9.6.3 Interim, 9.6.4 Interim, 9.7.1 Interim, 9.8.1 Interim, 9.8.2 Interim, 9.8.3 Interim, 9.8.4 Interim, 9.9.1 Interim, 9.9.2 Interim

Defect Information

Defect ID	Headline
CSCvp10132	AnyConnect connections fail with TCP connection limit exceeded error
CSCvq12070	Not able to establish more than 2 simultaneous ASDM sessions
CSCvs53705	Anyconnect sessions limited incorrectly

Problem Description

Some versions of Adaptive Security Appliance (ASA) software might cause AnyConnect sessions to fail after a low number of users are connected.

Background

The ASA software allows up to six HTTP management sessions on the security appliance. Due to a software issue, AnyConnect sessions might be considered as additional HTTP management sessions. If the total number of HTTP management and AnyConnect sessions equals the six session limit, additional AnyConnect sessions might fail.

The issue might occur with this ASA configuration:

SSL VPN configuration
With an interface with both http and webvpn configuration enabled
http server enable
http <ip> <mask> <i/f nameif>
webvpn
  enable <i/f nameif>

Problem Symptom

AnyConnect sessions fail after a low number of users are connected. The syslog files will contain a "TCP connection limit exceeded" error similar to the example shown below.

%ASA-7-710004: TCP connection limit exceeded from <x.x.x.x>/<port> to <nameif>:y.y.y.y/443 (current connections/connection limit = 6/6)

Workaround/Solution

Cisco recommends that you upgrade to one of these ASA software versions:

9.8(4.8) or later
9.10(1.26) or later
9.12(2.13) or later
9.12(3.1) or later

Updated ASA software versions that address this issue are available from the Software Download page for customers with a valid service contract.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Secure Firewall ASA Virtual