I was recently configuring an ASA running 8.x software to authenticate and download ACL’s for remote-access users from microsoft IAS. During my testing I changed one of the ACE’s but accidentally used incorrect syntax (tried to match a port number on an “ip” access list):
ip:inacl#100=permit ip 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389
Which should have read
ip:inacl#100=permit tcp 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389
The end result was that my authentication denied and I received this error on the ASA:
%ASA-3-109032: Unable to install ACL ‘AAA-user-username-ABC12345’, downloaded for user username; Error in ACE: ‘permit ip 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389’
No biggie, fixed the syntax and tried to logon again. But then I recieved this interesting error:
%ASA-4-716023: Group <groupName> User <username> IP <x.x.x.x> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <groupName> User <username> IP <x.x.x.x> WebVPN Unable to create session
I thought maybe I had some previous sessions still connected:
ASA# sh uauth
Current Most Seen
Authenticated Users 0 1
Authen In Progress 0 0
ASA# sh vpn-sessiondb webvpn
INFO: There are presently no active sessions of the type specified
It appears that if a SSLvpn connection fails due to an incorrectly configured downloadable ACE it locks out that session. I couldn’t find a command that would return the sessions back to the available pool and had to reload the ASA to correct it.
Now I doubt you would see this issue in a production environment but if anyone knows of a way to correct this without reloading I would love to know.