Hi John,
First, review some of the available commands with vpn-sessiondb:
ciscoasa# vpn-sess logoff ?
all All sessions
email-proxy Email-Proxy sessions
index Index specific session
ipaddress IP Address specific sessions
l2l IPsec LAN-to-LAN sessions
name Username specific sessions
protocol Protocol specific sessions
remote IPsec Remote Access sessions
svc SSL VPN Client sessions
tunnel-group Tunnel-group sessions
vpn-lb VPN Load Balancing Mgmt sessions
webvpn WebVPN sessions
Here’s how I log off a VPN session from an ASA.
You can also log off all sessions.
For Logging off single session, it can be done based on index.
First, get the index.
# show vpn-sessiondb remote
Username : remoteuser1 Index : 10030
Assigned IP : 172.16.0.182 Public IP : 1.2.3.4
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : DES 3DES Hashing : MD5 SHA1
Bytes Tx : 220 Bytes Rx : 844
Group Policy : MyGroupPolicy Tunnel Group : tpm
Login Time : 09:59:32 EDT Wed Sep 21 2011
Duration : 0h:01m:15s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Look for the user and associated index ID (in bold). In the above example the Index is 10030.
SO to Log off only one session for that specific index ID 10030 kindly use the below mentioned command on your cisco asa:
# vpn-sessiondb logoff index 10030
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 10030 has been logged off
Note, you can also logoff a specific sesson based on name (as well as index) if you know the name.
You can log off all sessions by simply using
vpn-sessiondb logoff all
There are several other options for particular type of sessions to be logged off, based on the type of connection, and then depend only one session based on index or all session for taht particular tyope like only webvpn or only remote, but remeber first get the session Index before moving ahead.
ciscoasa#vpn-sessiondb logoff name ssluser1
Do you want to logoff the VPN session(s)? [confirm] Y
INFO: Number of sessions with name "ssluser1" logged off : 1
ciscoasa#Called vpn_remove_uauth: success!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL
np_svc_destroy_session(0xB000)
show vpn-sessiondb
To display information about VPN sessions, use the show vpn-sessiondb command in privileged EXEC mode. The command includes options for displaying information in full or in detail, lets you specify type of sessions to display, and provides options to filter and sort the information. The syntax table and usage notes organize the choices accordingly.
show vpn-sessiondb [detail] [full] {remote | l2l | index indexnumber | webvpn | email-proxy} [filter {name username | ipaddress IPaddr | a-ipaddress IPaddr | p-ipaddress IPaddr | tunnel-group groupname | protocol protocol-name | encryption encryption-algo}]
[sort {name | ipaddress | a-ipaddress | p-ip address | tunnel-group | protocol | encryption}]
--------------------
Viewing SSL VPN Sessions
You can view information about active sessions using the show vpn-sessiondb command in privileged EXEC mode:
show vpn-sessiondb svc
The following example shows the output of the show vpn-sessiondb svc command:
hostname# show vpn-sessiondb svc
Session Type: SSL VPN Client
Index : 1 IP Addr : 209.165.200.232
Protocol : SSL VPN Client Encryption : 3DES
Hashing : SHA1 Auth Mode : userPassword
TCP Dst Port : 443 TCP Src Port : 54230
Bytes Tx : 20178 Bytes Rx : 8662
Pkts Tx : 27 Pkts Rx : 19
Client Ver : Cisco STC 1.1.0.117
Client Type : Internet Explorer
Login Time : 14:32:03 UTC Wed Mar 20 2007
Logging Off SVC Sessions
To log off all SSL VPN sessions, use the vpn-sessiondb logoff svc command in global configuration mode:
vpn-sessiondb logoff svc
The following example logs off all SSL VPN sessions:
hostname# vpn-sessiondb logoff svc
INFO: Number of sessions of type "svc" logged off : 1
You can log off individual sessions using either the name option, or the index option:
vpn-session-db logoff name name
vpn-session-db logoff index index
You can find both the username and the index number (established by the order of the client images) in the output of the show vpn-sessiondb svc command. The following example shows the username lee and index number 1.
hostname# show vpn-sessiondb svc
Session Type: SSL VPN Client
Index : 1 IP Addr : 209.165.200.232
Protocol : SSL VPN Client Encryption : 3DES
Hashing : SHA1 Auth Mode : userPassword
TCP Dst Port : 443 TCP Src Port : 54230
Bytes Tx : 20178 Bytes Rx : 8662
Pkts Tx : 27 Pkts Rx : 19
Client Ver : Cisco STC 1.1.0.117
Client Type : Internet Explorer
Login Time : 14:32:03 UTC Wed Mar 26 2007
The following example terminates the session using the name option of the vpn-session-db logoff command:
hostname# vpn-sessiondb logoff name tester
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "mkrupp" logged off : 0
vpn-sessiondb logoff
To log off all or selected VPN sessions, use the vpn-sessiondb logoff command in global configuration mode.
vpn-sessiondb logoff {remote | l2l | webvpn | email-proxy | protocol protocol-name | name username | ipaddress IPaddr | tunnel-group groupname | index indexnumber | all}
Syntax Description
|
all
|
Logs off all VPN sessions.
|
|
email-proxy
|
Logs off all e-mail proxy sessions.
|
|
index indexnumber
|
Logs off a single session by index number. Specify the index number for the session.
|
|
ipaddress IPaddr
|
Logs off sessions for the IP address hat you specify.
|
|
l2l
|
Logs off all LAN-to-LAN sessions.
|
|
name username
|
Logs off sessions for the username that you specify.
|
|
protocol protocol-name
|
Logs off sessions for protocols that you specify. The protocols include:
|
| |
IKE
IMAP4S
IPSec
IPSecLAN2LAN
IPSecLAN2LANOverNatT
IPSecOverNatT
IPSecoverTCP
IPSecOverUDP
|
POP3S
SMTPS
userHTTPS
vcaLAN2LAN
|
|
remote
|
Logs off all remote-access sessions.
|
|
tunnel-group groupname
|
Logs off sessions for the tunnel group that you specify.
|
|
webvpn
|
Logs off all WebVPN sessions.
|
--------------------
Similarly, you can use the vpn-sessiondb logoff svc command in order to terminate all the SVC sessions.
I find using the ASDM more accurate and less error prone if you are novice. It also gives you a summary of the login statistics at a glance.
One is to use the GUI – Cisco’s ASDM and the other by using good old CLI.
On ASDM (Version 6.2)
- Click on the monitoring tab.
- Under VPN statistics, select sessions
- On the right drop down box where it says “Filter By” select IPsec Remote Access or if you are using SSL Client/Clientless VPN select the one of your choice.
- Click the Logout button!
For getting details of all VPN sessions on cisco ASA box please use following :
- ciscoasa# show vpn-sessiondb summary
-
- Active Session Summary
-
- Sessions:
- Active : Cumulative : Peak Concurrent
- SSL VPN : 0 : 4 : 2
- Clientless only : 0 : 4 : 2
- With client : 0 : 0 : 0
- Email Proxy : 0 : 0 : 0
- IPsec LAN-to-LAN : 0 : 0 : 0
- IPsec Remote Access : 0 : 877 : 3
- Totals : 0 : 881
-
- License Information:
- IPsec : 10 Configured : 10 Active : 0 Load : 0%
- SSL VPN : 2 Configured : 2 Active : 2 Load : 100%
- Total : 12 Configured : 12 Active : 2 Load : 17%
- Active : Cumulative : Peak Concurrent
- IPsec : 0 : 877 : 3
- SSL VPN : 2 : 6 : 2
- Totals : 2 : 883
-
- Tunnels:
- Active : Cumulative : Peak Concurrent
- IKE : 0 : 877 : 3
- IPsec : 0 : 159 : 1
- IPsecOverNatT : 0 : 611 : 2
- L2TPOverIPsec : 0 : 90 : 1
- L2TPOverIPsecOverNatT : 0 : 404 : 2
- Clientless : 0 : 4 : 2
- Totals : 0 : 2145
-
- Active NAC Sessions:
- No NAC sessions to display
-
- Active VLAN Mapping Sessions:
- No VLAN Mapping sessions to display
- ciscoasa#
Hope it Helps. !!!
