Show vpn-sessiondb detail l2l . How to clear connections by Tunnel ID?

Answered Question
Oct 24th, 2011

With "show-vpndessiondb detail l2l" , i obtain this output

IPsec:

  Tunnel ID    : 107.2

  Local Addr   : 172.20.18.0/255.255.255.0/0/0

  Remote Addr  : 172.20.24.0/255.255.255.0/0/0

  Encryption   : 3DES                   Hashing      : MD5

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28259 Seconds

  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607996 K-Bytes

  Idle Time Out: 30 Minutes             Idle TO Left : 21 Minutes

  Bytes Tx     : 5016                   Bytes Rx     : 0

  Pkts Tx      : 38                     Pkts Rx      : 0

IPsec:

  Tunnel ID    : 107.3

  Local Addr   : 172.20.19.0/255.255.255.0/0/0

  Remote Addr  : 172.20.24.0/255.255.255.0/0/0

  Encryption   : 3DES                   Hashing      : MD5

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28257 Seconds

  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607998 K-Bytes

  Idle Time Out: 30 Minutes             Idle TO Left : 21 Minutes

  Bytes Tx     : 2244                   Bytes Rx     : 0

  Pkts Tx      : 17                     Pkts Rx      : 0

Is there a way to clear the IPsec connection by "Tunnel ID"? I am familiar with "clear ip sec sa <peer ip>", but that will bring down the whole tunnel. I am looking in how to be more granular clearing connections  coming from Local Addr 172.20.19.0/255.255.255.0/0/0 , for example -see output above-

Thanks

John

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 2 years 5 months ago

No, unfortunately you can't just clear the connection for 1 specific SA within a tunnel.

The only option with "vpn-sessiondeb logoff" is as follows:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1726098

which is pretty much the same as what you can achieve via "clear cry ipsec sa " command.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
sachinga.hcl Wed, 02/08/2012 - 01:17

Hi John,

First, review some of the available commands with vpn-sessiondb:

ciscoasa# vpn-sess logoff ?

  all           All sessions
  email-proxy   Email-Proxy sessions
  index         Index specific session
  ipaddress     IP Address specific sessions
  l2l           IPsec LAN-to-LAN sessions
  name          Username specific sessions
  protocol      Protocol specific sessions
  remote        IPsec Remote Access sessions
  svc           SSL VPN Client sessions
  tunnel-group  Tunnel-group sessions
  vpn-lb        VPN Load Balancing Mgmt sessions
  webvpn        WebVPN sessions

Here’s how I log off a VPN session from an ASA.

You can also log off all sessions.

For Logging off single session,  it can be done based on index.

First, get the index.

# show vpn-sessiondb remote

Username     : remoteuser1               Index        : 10030
Assigned IP  : 172.16.0.182           Public IP    : 1.2.3.4
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : DES 3DES               Hashing      : MD5 SHA1
Bytes Tx     : 220                    Bytes Rx     : 844
Group Policy : MyGroupPolicy         Tunnel Group : tpm
Login Time   : 09:59:32 EDT Wed Sep 21 2011
Duration     : 0h:01m:15s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Look for the user and associated index ID (in bold). In the above example the Index is 10030.

SO to Log off  only one session for that specific index ID 10030 kindly use the below mentioned command on your cisco asa:

# vpn-sessiondb logoff index 10030

Do you want to logoff the VPN session(s)? [confirm] INFO: Session with Index = 10030 has been logged off

Note, you can also logoff a specific sesson based on name (as well as index) if you know the name.

You can log off all sessions by simply using

vpn-sessiondb logoff all

There are several other options for particular type of sessions to be logged off, based on the type of connection, and then depend only one session based on index or all session for taht particular tyope like only webvpn or only remote, but remeber first get the session Index before moving ahead.

ciscoasa#vpn-sessiondb logoff name ssluser1
Do you want to logoff the VPN session(s)? [confirm] Y
INFO: Number of sessions with name "ssluser1" logged off : 1

ciscoasa#Called vpn_remove_uauth: success!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL
np_svc_destroy_session(0xB000)

show vpn-sessiondb

To display information about VPN sessions, use the show vpn-sessiondb command  in privileged EXEC mode. The command includes options for displaying  information in full or in detail, lets you specify type of sessions to  display, and provides options to filter and sort the information. The  syntax table and usage notes organize the choices accordingly.

show vpn-sessiondb [detail] [full] {remote | l2l | index indexnumber | webvpn | email-proxy}  [filter {name username | ipaddress IPaddr | a-ipaddress IPaddr | p-ipaddress IPaddr |  tunnel-group groupname | protocol protocol-name | encryption encryption-algo}]
[sort {name | ipaddress | a-ipaddress | p-ip address | tunnel-group | protocol | encryption}]

--------------------

Viewing SSL VPN Sessions

You can view information about active sessions using the show vpn-sessiondb command in privileged EXEC mode:

show vpn-sessiondb svc

The following example shows the output of the show vpn-sessiondb svc command:

hostname# show vpn-sessiondb svc


Session Type: SSL VPN Client


Username     : lee
Index        : 1                      IP Addr      : 209.165.200.232
Protocol     : SSL VPN Client         Encryption   : 3DES
Hashing      : SHA1                   Auth Mode    : userPassword
TCP Dst Port : 443                    TCP Src Port : 54230
Bytes Tx     : 20178                  Bytes Rx     : 8662
Pkts Tx      : 27                     Pkts Rx      : 19
Client Ver   : Cisco STC 1.1.0.117
Client Type  : Internet Explorer
Group        : DfltGrpPolicy
Login Time   : 14:32:03 UTC Wed Mar 20 2007
Duration     : 0h:00m:04s
Filter Name  :

Logging Off SVC Sessions

To log off all SSL VPN sessions, use the vpn-sessiondb logoff svc command in global configuration mode:

vpn-sessiondb logoff svc

The following example logs off all SSL VPN sessions:

hostname# vpn-sessiondb logoff svc
INFO: Number of sessions of type "svc" logged off : 1


You can log off individual sessions using either the name option, or the index option:

vpn-session-db logoff name name

vpn-session-db logoff index index

You can find both the username and the index number (established by the order of the client images) in the output of the show vpn-sessiondb svc command. The following example shows the username lee and index number 1.

hostname# show vpn-sessiondb svc


Session Type: SSL VPN Client


Username     : lee
Index        : 1                      IP Addr      : 209.165.200.232
Protocol     : SSL VPN Client         Encryption   : 3DES
Hashing      : SHA1                   Auth Mode    : userPassword
TCP Dst Port : 443                    TCP Src Port : 54230
Bytes Tx     : 20178                  Bytes Rx     : 8662
Pkts Tx      : 27                     Pkts Rx      : 19
Client Ver   : Cisco STC 1.1.0.117
Client Type  : Internet Explorer
Group        : DfltGrpPolicy
Login Time   : 14:32:03 UTC Wed Mar 26 2007
Duration     : 0h:00m:04s
Filter Name  :


The following example terminates the session using the name option of the vpn-session-db logoff command:

hostname# vpn-sessiondb logoff name tester
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "mkrupp" logged off : 0


hostname# 

vpn-sessiondb logoff

To log off all or selected VPN sessions, use the vpn-sessiondb logoff command in global configuration mode.

vpn-sessiondb logoff {remote | l2l | webvpn | email-proxy | protocol protocol-name | name  username | ipaddress IPaddr | tunnel-group groupname | index indexnumber | all}

Syntax Description


all

Logs off all VPN sessions.

email-proxy

Logs off all e-mail proxy sessions.

index indexnumber

Logs off a single session by index number. Specify the index number for the session.

ipaddress IPaddr

Logs off sessions for the IP address hat you specify.

l2l

Logs off all LAN-to-LAN sessions.

name username

Logs off sessions for the username that you specify.

protocol protocol-name

Logs off sessions for protocols that you specify. The protocols include:

IKE

IMAP4S

IPSec

IPSecLAN2LAN

IPSecLAN2LANOverNatT

IPSecOverNatT

IPSecoverTCP

IPSecOverUDP

POP3S

SMTPS

userHTTPS

vcaLAN2LAN

remote

Logs off all remote-access sessions.

tunnel-group groupname

Logs off sessions for the tunnel group that you specify.

webvpn

Logs off all WebVPN sessions.




--------------------

Similarly, you can use the vpn-sessiondb logoff svc command in order to terminate all the SVC sessions.



I find using the ASDM more accurate and less error prone if you are novice. It also gives you a summary of the login statistics at a glance.


One is to use the GUI – Cisco’s ASDM and the other by using good old CLI.

On ASDM (Version 6.2)

- Click on the monitoring tab.

- Under VPN statistics, select sessions

- On the right drop down box where it says “Filter By” select IPsec  Remote Access or if you are using SSL Client/Clientless VPN select the  one of your choice.

- Click the Logout button!

For getting details of all VPN sessions on cisco ASA box please use following :

  1. ciscoasa# show vpn-sessiondb summary
  2. Active Session Summary
  3. Sessions:
  4.                             Active : Cumulative : Peak Concurrent
  5.   SSL VPN               :          0 :          4 :               2
  6.     Clientless only     :          0 :          4 :               2
  7.     With client         :          0 :          0 :               0
  8.   Email Proxy           :          0 :          0 :               0
  9.   IPsec LAN-to-LAN      :          0 :          0 :               0
  10.   IPsec Remote Access   :          0 :        877 :               3
  11.   Totals              :          0 :        881
  12. License Information:
  13.   IPsec   :     10    Configured :     10    Active :      0    Load :   0%
  14.   SSL VPN :      2    Configured :      2    Active :      2    Load : 100%
  15.   Total   :     12    Configured :     12    Active :      2    Load :  17%
  16.                 Active : Cumulative : Peak Concurrent
  17.   IPsec   :          0 :        877 :               3
  18.   SSL VPN :          2 :          6 :               2
  19.   Totals  :          2 :        883
  20. Tunnels:
  21.                               Active : Cumulative : Peak Concurrent
  22.   IKE                   :          0 :        877 :               3
  23.   IPsec                 :          0 :        159 :               1
  24.   IPsecOverNatT         :          0 :        611 :               2
  25.   L2TPOverIPsec         :          0 :         90 :               1
  26.   L2TPOverIPsecOverNatT :          0 :        404 :               2
  27.   Clientless            :          0 :          4 :               2
  28.   Totals                :          0 :       2145
  29. Active NAC Sessions:
  30.   No NAC sessions to display
  31. Active VLAN Mapping Sessions:
  32.   No VLAN Mapping sessions to display
  33. ciscoasa#




Hope it Helps. !!!

johnramz@gmail.com_2 Fri, 02/10/2012 - 08:49

sachinga.hcl,

I appreciate your thorough answer and how to manage granularity on the other type of VPN sessions(remote users and SSL sessions). Unfortunately, it is not that granular on "l2l" sessions. Just to bring it up, the functionality is not there yet just logoff just session "Tunnel ID    : 107.3" shown as an example in my first post on this thread,

Thanks anyway for taking the time compose a long reply . Now I now even more about how to manage the other type of sessions.

John

varinsin Fri, 02/10/2012 - 10:58

You can try to clear a particular tunnel ID  inbound spi value. Try this command on ASA

# clear crypto  ipsec sa entry 2.2.2.2 esp 0.fffffffff

Here 2.2.2.2 is the peer address and 0.ffffffff is the value for spi which can be taken from the following command.

# sh cry ipsec sa

You will see inbound and outbound spi for every cryoto access list.

Let me know if it works

Varinder

Actions

Login or Register to take actions

This Discussion

Posted October 24, 2011 at 8:05 AM
Stats:
Replies:5 Avg. Rating:5
Views:4034 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard