New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

300.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


My SNMP Cisco ASA VPN Users sensor shows a user limit error. Why? What can I do?

Votes:

0

Your Vote:

Up

Down

I added the SNMP Cisco ASA VPN Users sensor to my PRTG installation. After some time, it changed to a Down status, showing the following error message:

The sensor exceeded the maximum number of 50 users. For more information, see https://kb.paessler.com/en/topic/64053. (code: PE246)

Why does this error message appear? How can I change the Down status?

asa cisco cisco-asa-vpn error error-messages pe246 prtg sensor users vpn

Created on Apr 13, 2015 5:02:13 PM by  Johannes Herrmann [Paessler Support] (1,350) 2 2

Last change on Nov 29, 2019 11:42:41 AM by  Maike Guba [Paessler Support]



20 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

User Limit of the SNMP Cisco ASA VPN Users Sensor (PE246)

The SNMP Cisco ASA VPN Users sensor shows you the number of currently connected user accounts and the online status of a specific user account. Basically, the sensor writes every user account that uses a VPN connection on the selected Cisco Adaptive Security Appliance device into a list and creates a channel for each account.

If the sensor shows the error message The sensor exceeded the maximum number of 50 users. For more information, see https://kb.paessler.com/en/topic/64053. (code: PE246), consider the following explanations:

When does the sensor show the respective error message?

It shows the error message regarding the limited number of users when the number of channels, which corresponds to the number of VPN users, exceeds 50.

Why is the sensor limited to 50 channels, that is, 50 users?

This sensor is limited to 50 channels or 50 users respectively because monitoring more than 50 VPN users might cause notable performance issues in your PRTG installation.

How can I change the Down status?

Actually, there is no real possibility to change the Down status. To clear the list of users, delete the SNMP Cisco ASA VPN Users sensor and add a new one to continue Cisco ASA VPN users monitoring. Unfortunately, this is the only way to get rid of the Down status at the moment.

In which case should I not use the SNMP Cisco ASA VPN Users sensor?

You should not use the sensor if you have more than 50 user accounts. If more than 50 users are frequently connected, you cannot use the sensor as intended.

Created on Apr 23, 2015 3:35:18 PM by  Martina Wittmann [Paessler Support]

Last change on Nov 29, 2019 11:43:03 AM by  Maike Guba [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I am confused by this answer as we just hit the 50 user limit and we do "not" have 50 concurrent users connected but we do have 50 total uses showing up in our list that have connected since we created this sensor. Why would this sensor count 50 users total over the lifetime of the sensor if it is supposed to only count concurrent connections?

Created on Apr 6, 2016 5:13:28 PM by  servergrunt (190) 1



Votes:

0

Your Vote:

Up

Down

Hello,

Please note that this sensor can monitor up to 50 VPN connections - not up to 50 active users, but up to 50 offline and online users in total. So if the number of users (ever connected users, not just currently connected) exceeds 50, the sensor will show an error.

Best regards

Created on Apr 7, 2016 2:31:24 PM by  Isidora Jeremic [Paessler Support]



Votes:

0

Your Vote:

Up

Down

If you have a changing username (like 2 way authenication, username*[code]) it will easy exceed 50 users. Why not have the last 50 users?

Created on Jun 9, 2016 6:40:26 AM by  Christianr (10) 1



Votes:

0

Your Vote:

Up

Down

Hello,

With new connected users, new channels are created, but it is not possible to delete existing channels, sorry.

Created on Jun 9, 2016 2:48:55 PM by  Isidora Jeremic [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This is ridiculous. There are several options here that would make more sense:

1) Only show online users - I couldn't care less if they're offline, only when they're on. This would reduce the number of users in the list.

2) Let me chose how many users is my "max" based on my environment. I only have about 48 sensors and can throw dozens of CPU's and Gig's of memory at the box if performance was an issue. Unless your performance issues are with your database, let me make up my mind about the number of users to see.

This is a critical limitation in your application.

Created on Dec 21, 2016 6:27:07 PM by  mdiorio (0)



Votes:

0

Your Vote:

Up

Down

Dear mdiorio,

I do understand your point here. But I am afraid I have to tell you this is still status quo and we will not change this behavior in this direction anytime soon.

PRTG is predominantly designed to monitor numerical values. Furthermore, sensor channels can't be deleted as you would loose the related historic data in the same breath just to name one disadvantage. This would cause further issues.

I'm sorry that I can't offer you a more satisfactory respond.

Best,
Sebastian

Created on Dec 22, 2016 2:18:47 PM by  Sebastian Kniege [Paessler Support]



Votes:

1

Your Vote:

Up

Down

I agree with mdiorio in part.

I have an extensive virtualization environment that will likely address any performance issues (I can assign up to 40 cores and 768GB vRAM to any machine). I would like to be able to choose the limits/thresholds myself. I don't mind the helpful warnings in regards to repercussions of doing so, but I do mind the limitations.

I'd like to be able to:

  • see all VPN connections, regardless of type (i.e. AnyConnect, IPSEC, etc.);
  • see historical and current data;
  • designate a sensor as "informational" in order to use if for just that: information
  • supress alerts generated by making a sensor informational (which I believe I can do by removing triggers).

Thanks

Created on Sep 15, 2017 3:15:51 PM by  msmith11950 (10)



Votes:

0

Your Vote:

Up

Down

Dear msmith11950 and everyone interested in the feature request,

We do take your requests seriously and are fully aware that, for some situations, it would be helpful to have more than the pre-defined channel limits.
@msmith11950, your hardware environment is very powerful though, but it's important to know that PRTG's workload does not rely on dozens of gigabyte of RAM and multiple CPU's/Core's only. PRTG internal, hard coded data structure uses so called semaphores to avoid simultaneous access due to too many read and write locks which can cause severe issues.

At the moment there is no solution we can offer, I'm afraid.

Best regard,
Sebastian

Created on Sep 18, 2017 10:03:09 AM by  Sebastian Kniege [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Yes, as PRTG is concerned with monitoring numerical values, is there no way to monitor the current number of connected VPN users without creating a channel for each one? I want/need to monitor the count of active connections, something I can see in the ASDM utility, so the value should be available to PRTG.

Created on Apr 19, 2018 3:11:47 PM by  Michael Saulters (-2) 1



Votes:

0

Your Vote:

Up

Down

You could write a custom sensor which puts that information into the sensor status message (up to 2000 characters, no line breaks.) Messages are not part of the historic data, so you would not be able to create reports for this.

Created on Apr 20, 2018 2:53:42 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

According to support The PRTG sensor is limited in channels. Most sensors have a limit of 50 channels. This is a limitation by PRTG's architecture. A VPN with more than 50 users cannot be monitored in a useful way with PRTG. This can also not easily implemented, because of how PRTG works....

Do anyone know if there is another way to monitor number of VPN users ?

Created on Dec 21, 2018 1:25:57 PM by  Thomas M Johansen (10) 1



Votes:

0

Your Vote:

Up

Down

Dear ThomasMichaelJohansen,

since there is this limitation with channels, motioning more users would require using more sensors. Since sensors run independently, one would have to use a complex master sensor which creates additional sensors on the fly. With a single sensor, the number of channels is limited.

Created on Dec 21, 2018 3:13:29 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I need a solution asap. Currently 98% of our users vpning. I have 5 vpn concentrators and I need to monitor that.

Created on Mar 19, 2020 3:01:23 PM by  stabarz (0) 1



Votes:

0

Your Vote:

Up

Down

Dear stabarz,

the capacity of having only up to 50 channels is documented in the official manual: https://www.paessler.com/manuals/prtg/snmp_cisco_asa_vpn_users_sensor

We understand that even without increased homeoffice use, this can be limiting. The development is informed about the pressing nature regarding this sensor, though the limit is implemented for a reason (preventing overload.)

Created on Mar 19, 2020 8:12:46 PM by  Arne Seifert [Paessler Support]



Votes:

3

Your Vote:

Up

Down

Well - since we all are in the same boat.. here is a quick work-around. Read the article, please.. but it gives you at least a good idea of how many users are connected to your Cisco ASA.

Hope it helps a few of you.

https://www.it-admins.com/prtg-and-cisco-asa-vpn-monitoring/

Regards Florian Rossmark

Created on Mar 19, 2020 10:06:55 PM by  Florian Rossmark (4,315) 4 2



Votes:

0

Your Vote:

Up

Down

The solution above worked for me. It uses CISCO-REMOTE-ACCESS-MONITOR-MIB where you can poll for the number of currently active sessions (crasNumSessions - 1.3.6.1.4.1.9.9.392.1.3.1.0)

Created on Mar 20, 2020 10:43:10 PM by  rscott (0) 1



Votes:

0

Your Vote:

Up

Down

I am coming here to voice the same concerns others have.

This sensor was one of the very cool things I showed management, we have the need to track who is in. We are logging that info, and have checked against ISE and other logs in the past but this seemed like a really easy and awesome way to know who was online at any given moment.

I will go poking to see if there is a MIB that will give me user information (I care more about who than the #) but it is pretyy disappointing to see this limitation.

The technical part makes some sense, but I would love to see the sensor delete data for offline users. We would never get to 50 people online at once, but the sensor is useless for companies with more than 50 users.

Created on Apr 17, 2020 5:47:52 PM by  rsdeuce (0)



Votes:

0

Your Vote:

Up

Down

Thank you very much for your open feedback. I will immediately forward it to the responsible Product Owner in order to find a proper solution for this as soon as possible.

Best regards,
Sven Roggenhofer [Paessler Technical Support]

Created on Apr 17, 2020 6:30:22 PM by  Sven Roggenhofer [Paessler Technical Support]



Votes:

0

Your Vote:

Up

Down

Exactly this requirement i got yesterday for a customer using brand new Cisco ASA and needs urgently Monitoring for it.

I´v just tested to create "SNMP Custom Cisco ASA VPN Counter" with the OID in article and it looks good.

We have to validate the results, but if this is stable -> "Go for it" and set up this one as Standard sensor.

Benefit: also a report using standard PRTG reporting can be created with graph and data table.

Best regards, Jürgen

Created on Jun 5, 2020 3:33:07 PM by  Jürgen Mayershofer, Computacenter AG & Co. oHG (10) 1



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.