topic Re: How many tunnel for one user ? in SASE and Remote Access

How many tunnel for one user ?

PhongNN — Mon, 10 Feb 2020 08:53:40 GMT

Hi everybody

I have an issue like this:

My VPN pool is 192.168.250.0/24

When i try to use Endpoint VPN to connect, the message is appear:

"Connection Failed: You cannot receive an Office Mode IP address at this time. Try to connect again. If the problem persists, contact your administrator."

I checked on Smartview Monitor, the concurrent users are 168, but the Log in Smartview Tracker is IP Pool full

Could anyone explain it to me ?

Thank you so much

Regards

Re: How many tunnel for one user ?

G_W_Albrecht — Mon, 10 Feb 2020 10:35:52 GMT

Endpoint RA VPN does not use the concurrent MAB users, but the EP VPN seats !

sk39034 To see the number of currently connected Remote Access users, run this command (in Expert mode) on the VPN Security Gateway:

[Expert@HostName]# fw tab -t userc_users -s

sk14496 To see the username of each "connected" remote access user (in the last 15 minutes), run this command (in Expert mode) on VPN Security Gateway:

[Expert@HostName]# fw tab -t userc_rules -f

You can check the Office Mode state using the following:

sk43883 - What is the difference between marcipan_ippool_users and om_assigned_ips :

The marcipan table lists the office mode ip address. So if you type in the cmd

fw tab -t marcipan_ippool_users -f

This will show the list in readable format.

The om_assigned_ips deals with the office mode ip address tied with the user name. Type the tab cmd with the -f switch.

fw tab -t om_assigned_ips -f

sk36036 - to determine # of SNX users (# of individuals using office mode) on GW issue :

fw tab -t sslt_om_ip_params -s

You can also run the following command on the gateway, in order to see the number of OM IPs which are currently assigned by the gateway:

fw tab -t om_assigned_ips -s

HOST NAME ID #VALS #PEAK #SLINKS localhost om_assigned_ips 372 1 1 0

The above output (#VALS=1 ) means currently one client is assigned an OM IP. This includes SNX users with OM IPs as well, who take up from a different license (SSL). In order to find out how many there are of those and subtract them to leave only IPsec VPN clients (i.e. SecureClient, Endpoint Security VPN, Endpoint Connect), check the following table:

fw tab -t sslt_om_ip_params -s

HOST NAME ID #VALS #PEAK #SLINKS localhost sslt_om_ip_params 372 1 1 0

Re: How many tunnel for one user ?

PhongNN — Tue, 11 Feb 2020 04:52:59 GMT

It's very usefull. Thank you so much

But my question is still unresolved

Because in Smartview Monitor, i saw the Remote User Tunnel is 166 and i cannot connect to VPN because IP pool full

The IP Pool is 192.168.150.0/24, and it should be assign for 254 user, right ?

Regards

Re: How many tunnel for one user ?

PhoneBoy — Tue, 11 Feb 2020 22:02:08 GMT

If you’re not licensed for that many users, definitely not.
In any case, if you can provide (possibly redacted) output of the above commands, it might help us see what’s happening.

Re: How many tunnel for one user ?

chaymosphere — Wed, 18 Mar 2020 10:01:20 GMT

I have the same issue with them, currently, I have 760 plus users are already connected but other users are unable to connect and currently impacting their production. May i know the maximum users that can connect through the VPN? is there any command that i can use to check ?

Re: How many tunnel for one user ?

waynej — Fri, 11 Aug 2023 13:55:06 GMT

Spent most of the day looking at this issue on one of my gateways. Our connected VPN client count was around 140-150 when we started getting the error "You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode". We are licensed for 205. Eventually I found that the om_assigned_ips table was at 205 when the issue occurs.

In this case we had set the IP Lease Duration to 1day (1440 minutes) while also allowing simultaneous logins. I'm not sure if there is a bug in the VPN client or if it was a user, but I'd see some VPN clients with multiple logins from the same IP, each session tying up a IP in the om_assigned_ips table.

I found this looking at the detail from fw tab -t om_assigned_ips -f - u

I've set the lease time back to the default (15 minutes) and set simultaneous logins to only allow one per user. Hopefully that sorts it out.

Thanks to @G_W_Albrecht for the list of commands. They were invaluable.