04-08-2008 08:34 AM - edited 02-21-2020 03:39 PM
We are moving from a 3005 concentrator to an ASA5510 and I have a couple of questions.
In the 3005 you can disable and enable VPN tunnels rather easy. You go into the policy and check or uncheck the enable box. What is the method to temporarily disable a tunnel on the ASA? Through the ASDM preferably, for ease of management.
Also, I want my remote access sessions to timeout after 8 hours. It shows in the tunnel policy in the ASDM that it is set for 8 (28800) hours but I don't see this value in the config at all. I do see a value of 86400 for the isakmp policy though. If it's set in the ASDM as 8 hours why doesn't it show up in the config? Which takes precedence on the timeout, the tunnel policy or the isakmp policy?
Thanks!
Solved! Go to Solution.
04-08-2008 04:53 PM
Ryan,
For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.
example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.
group-policy
vpn-session-timeout 90
you can disable it as:
group-policy
no vpn-session-timeout
as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.
HTH
Rgds
Jorge
04-08-2008 04:53 PM
Ryan,
For your remote access users vpn session max connection time can be specified in in tunnel group policy attributes. In ASDM go to your tunnel group>general expand more obtions and uncheck maximun connect time there you can specify minutes the vpn session will terminate when it reaches the specified time in minutes.
example to specify 90 minutes you can also do it through cli, note this is not a time out this will drop the session in 90 minutes for all members of the tunnel group.
group-policy
vpn-session-timeout 90
you can disable it as:
group-policy
no vpn-session-timeout
as for disabling enabling L2L vpn sessions there is no disable/enable option like in vpn concentrators, I know that is a nice feature in concentrator but I have not seen a feature in ASA like that or Im not aware of one yet.
HTH
Rgds
Jorge
04-09-2008 02:42 PM
That is exactly what I was looking for, thanks.
If you were to temporarily disable a vpn, how would you go about doing it?
04-09-2008 08:33 PM
Ryan, thanks for the rating, appretiated.
As far as the disabling the l2l vpn tunnel without deleting the complete configuration I would probably change the secret key to something else on that particular tunnel. The Ipsec Phase-1 will not complete and the tunnel will never come up, until you can put the right secret key back again through ASDM or cli.
e.i
isakmp key
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: