- Local User Groups
I have already used the following lines in a reply, but now decided to make it a document 😊.
The "old" RA VPN client licensing worked by counting client IPs (called "seats", CLI "dtps lic" on policy server), and the used licenses count showed the number of clients that did connect during the last 30 days. This is different with MAB licenses, they are defined as the number of concurrent clients; MAB even has five grace clients, so the maximum number of concurrent clients is the number of licenses plus five.
Still, you can use the “Client type” filter on SVMonitor>User>All users, in order to filter according the type of the connection of the users. But there is no "dtps lic" for new endpoint client, MAB has its own CLI command, see Mobile Access Administration Guide R77 Versions pp. 188:
listusers - Shows a list of end-users connected to the gateway, along with their source IP addresses.
But that is not all as we can even take a look into the kernel tables 😉:
To see the number of currently connected Remote Access users, run this command (in Expert mode) on the VPN Security Gateway:
[Expert@HostName]# fw tab -t userc_users -s
To see the username of each "connected" remote access user (in the last 15 minutes), run this command (in Expert mode) on VPN Security Gateway:
[Expert@HostName]# fw tab -t userc_rules -f
You can also run the following command on the gateway, in order to see the number of OM IPs which are currently assigned by the gateway:
# fw tab -t om_assigned_ips -s
HOST NAME ID #VALS #PEAK #SLINKS localhost om_assigned_ips 372 1 1 0
The above output (#VALS=1 ) means currently one client is assigned an OM IP. This includes SNX users with OM IPs as well, who take up from a different license (MAB). In order to find out how many there are of those and subtract them to leave only IPsec VPN clients (i.e. SecureClient, Endpoint Security VPN, Endpoint Connect), check the following table:
# fw tab -t sslt_om_ip_params -s
HOST NAME ID #VALS #PEAK #SLINKS localhost sslt_om_ip_params 372 1 1 0
When we are runing Provider-1 with multiple CMAs, the remote access license gets placed on at MDS level.
Are there any known commands for checking the overall usage of remote access on the entire management server , or would we have to review each CMA for the max number of connections to work out if our license was sufficient.
The old "dtps lic" was issued on the policy server, and the new commands are all gateway-specific - so i get information for the gateway only.
What that's mean number of seat ?
I have 25, is this mean 25 connection VPN simultaneously?
What is the command cli to show me how much licence i have for VPN endpoind (not mobile) but for laptop?
In the past days I have been working on a CLI script that can display all Secure Client license information centrally. This script creates a new command on the management server to read the Secure Client licenses. It displays all Secure Client licenses in total (sum). Furthermore, it can read out the currently used licenses on the gateway. If a connection to the gateway can be established, the following values are read out: Currently used Secure Client licenses and the maximum used Secure Client licenses.
If you execute the script via "copy and past" on the management server, a new CLI command "sclic" is created. Afterwards you can use this command to display all licenses in an overview. Please note that the execution of the new command may take a few seconds. This is a normal behaviour.
Now for following:
- Secure Client licenses
- Mobile Access Portal licenses
- SSLVPN licenses
More read here: R80.x - Mobile User License Tool - replaces "dtps lic"
Here an example:
# sclic 10.0.0.1
Now all license parameters for Secure Client are displayed: