Here's a weird one.
We've had a lot of calls in the last few days to confirm the number of remote access licenses that customers have.
Now remote access licensing has always appeared to be a bit of a dark art with so many different SKUs and license macros.
I've noticed that in a lot of cases that the gateways MASSIVELY over count the number of available Endpoint office mode licenses (not SNX or MAB though).
In some cases, and this is confirmed through vpnd debugs and fw tab counts, a gateway will allow 5 times the number of licensed connections.
I've confirmed this overage on 4 different customers so far.
3 of them showed the 5 time behaviour, but the 4th showed about 3.5 times.
Now this 4th customer had a mix of CPVP-VSC-5-NGX+25 and CPVP-VSC-25-NGX. From what I can work out, the CPVP-VSC-5-NGX+25 are counted 5 times, but the CPVP-VSC-25-NGX are counted correctly once.
We have a ticket open with TAC about the issue, but I thought I'd reach out and see if anyone else had seen this behaviour?
An example (anonymised) cplic print from the manager.
Host Expiration Features
zzz.zzz.zzz.zzz never CPSM-C-U CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-UDIR CPSB-PRVS CPSB-IPSA CK-ABCD12345678
zzz.zzz.zzz.zzz never CPEP-C-1+25 CPSB-EP-FW+25 CPEP-PERP CK-ABCD12345678
zzz.zzz.zzz.zzz never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
zzz.zzz.zzz.zzz never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
zzz.zzz.zzz.zzz never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
zzz.zzz.zzz.zzz never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
zzz.zzz.zzz.zzz never CPSM-C-U CPSB-ADN-M CPSB-ACCL-M CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPMP-EVR-1-NGX CPSB-SWB CK-ABCD12345678
zzz.zzz.zzz.zzz never CPSB-ADN-M-HA CPSB-ACCL-M-HA CK-98492C5564A4
zzz.zzz.zzz.zzz never CPVP-VPS-1-NGX CPVP-VSC-5-NGX+100 CPEP-PERP CPSB-SWB CK-ABCD12345678
zzz.zzz.zzz.zzz never CPVP-VPS-1-NGX CPVP-VSC-5-NGX+25 CPEP-PERP CPSB-SWB CK-ABCD12345678
zzz.zzz.zzz.zzz never CPSB-MNTR CK-ABCD12345678
125 Endpoint licenses, plus a bunch of wrongly attached SNX licenses (should be on gateways)
And an anonymised VPN debug output from the gateway.
[vpnd 12345 1234567890]@Gateway[17 Mar 12:41:23][tunnel] available_om_licenses: sc_lic 625, sc_unlimit 0, cvpn_lic 5, cvpn_unlimit 0
[vpnd 12345 1234567890]@Gateway[17 Mar 12:41:23] fw_stat_tab: 630 elements
[vpnd 12345 1234567890]@Gateway[17 Mar 12:41:23] fw_stat_tab: 0 elements
[vpnd 12345 1234567890]@Gateway[17 Mar 12:41:23][tunnel] available_om_licenses: number of connected users: om_users 630, snx_users 0, l2tp_users 0
Oh, these are all R80.x gateways.
edit: cleared up the post a bit
Second edit:
This was further confirmed when we added a Sandblast +100 eval and then vpn debug showed:
[vpnd 12345 1234567890]@Gateway[17 Mar 14:29:03][tunnel] available_om_licenses: sc_lic 1125, sc_unlimit 0, cvpn_lic 5, cvpn_unlimit 0
[vpnd 12345 1234567890]@Gateway[17 Mar 14:29:03][tunnel] available_om_licenses: number of connected users: om_users 628, snx_users 0, l2tp_users 0
[vpnd 12345 1234567890]@Gateway[17 Mar 14:29:03][tunnel] available_om_licenses: Enough licenses for new user. Users:628 Licenses: 1130.
Add a 100 user eval and it now thinks it has 1125 license. Another 500.