ASA 8.2 vpn-filter for l2l connections

Answered Question
May 11th, 2010
User Badges:

I have a vpn-filter set on my L2L policy. The remote site uses a Cisco 1811 router and the main hub is a Cisco 5580. I already have a vpn-filter acl in place on an existing L2L connection that works fine. The only issue is, when I make changes to the acl to add/remove access, I have to reload the entire tunnel before the changes take place.


My question is, is there a command to reload the access control without dropping the tunnel?

Correct Answer by mopaul about 7 years 2 months ago

Hi Jeffrey,



By design whenever any changes are made in the group-policy attributes (including vpn-filter, dns wins ip or vpn-protocol etc), you have to reset the respective tunnel so that phase 2 negotiates with the newly added policies. The command to clear a specific tunnel is :-


clear crypto ipsec sa peer


For further details on the command, please do refer the link below


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2133652


So, to answer your query No there is no such command to reset access control. Had there been any such command you would still have to reset the tunnel to trigger the ipsec negotiations with new group-policy parameters.



HTH...



Regards
Mohit

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mopaul Tue, 05/11/2010 - 09:39
User Badges:
  • Bronze, 100 points or more

Hi Jeffrey,



By design whenever any changes are made in the group-policy attributes (including vpn-filter, dns wins ip or vpn-protocol etc), you have to reset the respective tunnel so that phase 2 negotiates with the newly added policies. The command to clear a specific tunnel is :-


clear crypto ipsec sa peer


For further details on the command, please do refer the link below


http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2133652


So, to answer your query No there is no such command to reset access control. Had there been any such command you would still have to reset the tunnel to trigger the ipsec negotiations with new group-policy parameters.



HTH...



Regards
Mohit

Actions

This Discussion

Related Content