VPN Questions - 3005 to ASA5510

Answered Question
Apr 8th, 2008

We are moving from a 3005 concentrator to an ASA5510 and I have a couple of questions.

In the 3005 you can disable and enable VPN tunnels rather easy. You go into the policy and check or uncheck the enable box. What is the method to temporarily disable a tunnel on the ASA? Through the ASDM preferably, for ease of management.

Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM that it is set for 8 (28800) hours but I don't see this value in the config at all. I do see a value of 86400 for the isakmp policy though. If it's set in the ASDM as 8 hours why doesn't it show up in the config? Which takes precedence on the timeout, the tunnel policy or the isakmp policy?

Thanks!

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 8 months ago

Ryan,

For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.

example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.

group-policy <tunnel group name> attributes</p><p>vpn-session-timeout 90

you can disable it as:

group-policy <tunnel group name> attributes</p><p>no vpn-session-timeout

as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.

HTH

Rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Tue, 04/08/2008 - 16:53

Ryan,

For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.

example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.

group-policy <tunnel group name> attributes</p><p>vpn-session-timeout 90

you can disable it as:

group-policy <tunnel group name> attributes</p><p>no vpn-session-timeout

as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.

HTH

Rgds

Jorge

ryanparr9 Wed, 04/09/2008 - 14:42

That is exactly what I was looking for, thanks.

If you were to temporarily disable a vpn, how would you go about doing it?

JORGE RODRIGUEZ Wed, 04/09/2008 - 20:33

Ryan, thanks for the rating, appretiated.

As far as the disabling the l2l vpn tunnel without deleting the complete configuration I would probably change the secret key to something else on that particular tunnel. The Ipsec Phase-1 will not complete and the tunnel will never come up, until you can put the right secret key back again through ASDM or cli.

e.i

isakmp key address netmask 255.255.255.255 no-xauth

Rgds

Jorge

Actions

This Discussion