New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


My Cisco ASA VPN Users sensor shows a user limit error. Why? What can I do?

Votes:

0

Your Vote:

Up

Down

I added the SNMP Cisco ASA VPN Users sensor to my PRTG installation. After some time, it changed to a Down status, showing the following message:

The sensor exceeded the maximum number of 50 users. See http://kb.paessler.com/en/topic/64053 for more information. (code: PE246)

Why does this error message appear? How can I change the Down status?

asa cisco cisco-asa-vpn error error-messages pe246 prtg sensor users vpn

Created on Apr 13, 2015 5:02:13 PM by  Johannes Herrmann [Paessler Support] (1,320) 2 2

Last change on Jul 11, 2019 12:40:29 PM by  Maike Behnsen [Paessler Support]



13 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

User Limit of the SNMP Cisco ASA VPN Users Sensor (PE246)

The SNMP Cisco ASA VPN Users sensor shows you the number of currently connected user accounts and the online status of a specific user account. Basically, the sensor writes every user account that uses a VPN connection on the selected Cisco Adaptive Security Appliance device into a list and creates a channel for each account.

If the sensor shows the error message The sensor exceeded the maximum number of 50 users. See http://kb.paessler.com/en/topic/64053 for more information. (code: PE246), consider the following explanations:

When does the sensor show the respective error message?

It shows the error message regarding the limited number of users when the number of channels, which corresponds to the number of VPN users, exceeds 50.

Why is the sensor limited to 50 channels, that is, 50 users?

This sensor is limited to 50 channels or 50 users respectively because monitoring more than 50 VPN users might cause notable performance issues in your PRTG installation.

How can I change the Down status?

Actually, there is no real possibility to change the Down status. To clear the list of users, delete the SNMP Cisco ASA VPN Users sensor and add a new one to continue Cisco ASA VPN users monitoring. Unfortunately, this is the only way to get rid of the Down status at the moment.

In which case should I not use the SNMP Cisco ASA VPN Users sensor?

You should not use the sensor if you have more than 50 user accounts. If more than 50 users are frequently connected, you cannot use the sensor as intended.

Created on Apr 23, 2015 3:35:18 PM by  Martina Wittmann [Paessler Support]

Last change on Aug 5, 2019 5:47:03 AM by  Maike Behnsen [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I am confused by this answer as we just hit the 50 user limit and we do "not" have 50 concurrent users connected but we do have 50 total uses showing up in our list that have connected since we created this sensor. Why would this sensor count 50 users total over the lifetime of the sensor if it is supposed to only count concurrent connections?

Created on Apr 6, 2016 5:13:28 PM by  servergrunt (190) 1



Votes:

0

Your Vote:

Up

Down

Hello,

Please note that this sensor can monitor up to 50 VPN connections - not up to 50 active users, but up to 50 offline and online users in total. So if the number of users (ever connected users, not just currently connected) exceeds 50, the sensor will show an error.

Best regards

Created on Apr 7, 2016 2:31:24 PM by  Isidora Jeremic [Paessler Support]



Votes:

0

Your Vote:

Up

Down

If you have a changing username (like 2 way authenication, username*[code]) it will easy exceed 50 users. Why not have the last 50 users?

Created on Jun 9, 2016 6:40:26 AM by  Christianr (10)



Votes:

0

Your Vote:

Up

Down

Hello,

With new connected users, new channels are created, but it is not possible to delete existing channels, sorry.

Created on Jun 9, 2016 2:48:55 PM by  Isidora Jeremic [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This is ridiculous. There are several options here that would make more sense:

1) Only show online users - I couldn't care less if they're offline, only when they're on. This would reduce the number of users in the list.

2) Let me chose how many users is my "max" based on my environment. I only have about 48 sensors and can throw dozens of CPU's and Gig's of memory at the box if performance was an issue. Unless your performance issues are with your database, let me make up my mind about the number of users to see.

This is a critical limitation in your application.

Created on Dec 21, 2016 6:27:07 PM by  mdiorio (0)



Votes:

0

Your Vote:

Up

Down

Dear mdiorio,

I do understand your point here. But I am afraid I have to tell you this is still status quo and we will not change this behavior in this direction anytime soon.

PRTG is predominantly designed to monitor numerical values. Furthermore, sensor channels can't be deleted as you would loose the related historic data in the same breath just to name one disadvantage. This would cause further issues.

I'm sorry that I can't offer you a more satisfactory respond.

Best,
Sebastian

Created on Dec 22, 2016 2:18:47 PM by  Sebastian Kniege [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I agree with mdiorio in part.

I have an extensive virtualization environment that will likely address any performance issues (I can assign up to 40 cores and 768GB vRAM to any machine). I would like to be able to choose the limits/thresholds myself. I don't mind the helpful warnings in regards to repercussions of doing so, but I do mind the limitations.

I'd like to be able to:

  • see all VPN connections, regardless of type (i.e. AnyConnect, IPSEC, etc.);
  • see historical and current data;
  • designate a sensor as "informational" in order to use if for just that: information
  • supress alerts generated by making a sensor informational (which I believe I can do by removing triggers).

Thanks

Created on Sep 15, 2017 3:15:51 PM by  msmith11950 (0)



Votes:

0

Your Vote:

Up

Down

Dear msmith11950 and everyone interested in the feature request,

We do take your requests seriously and are fully aware that, for some situations, it would be helpful to have more than the pre-defined channel limits.
@msmith11950, your hardware environment is very powerful though, but it's important to know that PRTG's workload does not rely on dozens of gigabyte of RAM and multiple CPU's/Core's only. PRTG internal, hard coded data structure uses so called semaphores to avoid simultaneous access due to too many read and write locks which can cause severe issues.

At the moment there is no solution we can offer, I'm afraid.

Best regard,
Sebastian

Created on Sep 18, 2017 10:03:09 AM by  Sebastian Kniege [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Yes, as PRTG is concerned with monitoring numerical values, is there no way to monitor the current number of connected VPN users without creating a channel for each one? I want/need to monitor the count of active connections, something I can see in the ASDM utility, so the value should be available to PRTG.

Created on Apr 19, 2018 3:11:47 PM by  Michael Saulters (-2) 1



Votes:

0

Your Vote:

Up

Down

You could write a custom sensor which puts that information into the sensor status message (up to 2000 characters, no line breaks.) Messages are not part of the historic data, so you would not be able to create reports for this.

Created on Apr 20, 2018 2:53:42 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

According to support The PRTG sensor is limited in channels. Most sensors have a limit of 50 channels. This is a limitation by PRTG's architecture. A VPN with more than 50 users cannot be monitored in a useful way with PRTG. This can also not easily implemented, because of how PRTG works....

Do anyone know if there is another way to monitor number of VPN users ?

Created on Dec 21, 2018 1:25:57 PM by  Thomas M Johansen (10) 1



Votes:

0

Your Vote:

Up

Down

Dear ThomasMichaelJohansen,

since there is this limitation with channels, motioning more users would require using more sensors. Since sensors run independently, one would have to use a complex master sensor which creates additional sensors on the fly. With a single sensor, the number of channels is limited.

Created on Dec 21, 2018 3:13:29 PM by  Arne Seifert [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.