cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
0
Helpful
3
Replies

VPN Questions - 3005 to ASA5510

ryanparr9
Level 1
Level 1

We are moving from a 3005 concentrator to an ASA5510 and I have a couple of questions.

In the 3005 you can disable and enable VPN tunnels rather easy. You go into the policy and check or uncheck the enable box. What is the method to temporarily disable a tunnel on the ASA? Through the ASDM preferably, for ease of management.

Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM that it is set for 8 (28800) hours but I don't see this value in the config at all. I do see a value of 86400 for the isakmp policy though. If it's set in the ASDM as 8 hours why doesn't it show up in the config? Which takes precedence on the timeout, the tunnel policy or the isakmp policy?

Thanks!

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

Ryan,

For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.

example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.

group-policy attributes

vpn-session-timeout 90

you can disable it as:

group-policy attributes

no vpn-session-timeout

as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.

HTH

Rgds

Jorge

Jorge Rodriguez

View solution in original post

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

Ryan,

For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.

example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.

group-policy attributes

vpn-session-timeout 90

you can disable it as:

group-policy attributes

no vpn-session-timeout

as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.

HTH

Rgds

Jorge

Jorge Rodriguez

That is exactly what I was looking for, thanks.

If you were to temporarily disable a vpn, how would you go about doing it?

Ryan, thanks for the rating, appretiated.

As far as the disabling the l2l vpn tunnel without deleting the complete configuration I would probably change the secret key to something else on that particular tunnel. The Ipsec Phase-1 will not complete and the tunnel will never come up, until you can put the right secret key back again through ASDM or cli.

e.i

isakmp key address netmask 255.255.255.255 no-xauth

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: