AnyConnect Hostscan Results Exceed Default Limit

| Comments

I have a user who is unable to login using AnyConnect. Their screen hangs at the AnyConnect message: “Hostscan is waiting for the next scan”.

Looking at the logs on the ASA I saw the following log:

Jun 25 2014 16:25:21: %ASA-3-716600: Rejected 266KB Hostscan data from IP <>. Hostscan results exceed default limit of 200KB.

The syslog database says to increase the limit I need to contact Cisco TAC. So I did.

Cisco TAC gave me the following commands which fixed the issue:

ASA(config)# service internal
ASA(config)# webvpn
ASA(config)# hostscan data-limit <size-in-kilobytes>

Additional questions I asked Cisco but there was no answer:

  • Why is this a secret command?
  • My current hostscan only checks one registry string. Why is it generating more than 200KB of data for this?
  • Why is the default setting not good enough?
  • Why is this only happening for some users?

anyconnect, cisco, hostscan, troubleshooting