10-24-2011 08:05 AM
With "show-vpndessiondb detail l2l" , i obtain this output
IPsec:
Tunnel ID : 107.2
Local Addr : 172.20.18.0/255.255.255.0/0/0
Remote Addr : 172.20.24.0/255.255.255.0/0/0
Encryption : 3DES Hashing : MD5
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28259 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607996 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 21 Minutes
Bytes Tx : 5016 Bytes Rx : 0
Pkts Tx : 38 Pkts Rx : 0
IPsec:
Tunnel ID : 107.3
Local Addr : 172.20.19.0/255.255.255.0/0/0
Remote Addr : 172.20.24.0/255.255.255.0/0/0
Encryption : 3DES Hashing : MD5
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28257 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607998 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 21 Minutes
Bytes Tx : 2244 Bytes Rx : 0
Pkts Tx : 17 Pkts Rx : 0
Is there a way to clear the IPsec connection by "Tunnel ID"? I am familiar with "clear ip sec sa <peer ip>", but that will bring down the whole tunnel. I am looking in how to be more granular clearing connections coming from Local Addr 172.20.19.0/255.255.255.0/0/0 , for example -see output above-
Thanks
John
Solved! Go to Solution.
10-24-2011 11:22 PM
No, unfortunately you can't just clear the connection for 1 specific SA within a tunnel.
The only option with "vpn-sessiondeb logoff" is as follows:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1726098
which is pretty much the same as what you can achieve via "clear cry ipsec sa
10-24-2011 11:22 PM
No, unfortunately you can't just clear the connection for 1 specific SA within a tunnel.
The only option with "vpn-sessiondeb logoff" is as follows:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1726098
which is pretty much the same as what you can achieve via "clear cry ipsec sa
10-25-2011 06:43 AM
Thanks Jennifer, perhaps on a later ASA code this would be available.
I appreciate your reply
John
02-08-2012 01:17 AM
Hi John,
First, review some of the available commands with vpn-sessiondb:
ciscoasa# vpn-sess logoff ? all All sessions email-proxy Email-Proxy sessions index Index specific session ipaddress IP Address specific sessions l2l IPsec LAN-to-LAN sessions name Username specific sessions protocol Protocol specific sessions remote IPsec Remote Access sessions svc SSL VPN Client sessions tunnel-group Tunnel-group sessions vpn-lb VPN Load Balancing Mgmt sessions webvpn WebVPN sessions
Here’s how I log off a VPN session from an ASA.
You can also log off all sessions.
For Logging off single session, it can be done based on index.
First, get the index.
# show vpn-sessiondb remote Username : remoteuser1 Index : 10030 Assigned IP : 172.16.0.182 Public IP : 1.2.3.4 Protocol : IKE IPsecOverNatT License : IPsec Encryption : DES 3DES Hashing : MD5 SHA1 Bytes Tx : 220 Bytes Rx : 844 Group Policy : MyGroupPolicy Tunnel Group : tpm Login Time : 09:59:32 EDT Wed Sep 21 2011 Duration : 0h:01m:15s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none
Look for the user and associated index ID (in bold). In the above example the Index is 10030.
SO to Log off only one session for that specific index ID 10030 kindly use the below mentioned command on your cisco asa:
# vpn-sessiondb logoff index 10030
Do you want to logoff the VPN session(s)? [confirm] INFO: Session with Index = 10030 has been logged off
Note, you can also logoff a specific sesson based on name (as well as index) if you know the name.
You can log off all sessions by simply using
vpn-sessiondb logoff all
There are several other options for particular type of sessions to be logged off, based on the type of connection, and then depend only one session based on index or all session for taht particular tyope like only webvpn or only remote, but remeber first get the session Index before moving ahead.ciscoasa#vpn-sessiondb logoff name ssluser1 Do you want to logoff the VPN session(s)? [confirm] Y INFO: Number of sessions with name "ssluser1" logged off : 1 ciscoasa#Called vpn_remove_uauth: success! webvpn_svc_np_tear_down: no ACL webvpn_svc_np_tear_down: no IPv6 ACL np_svc_destroy_session(0xB000)show vpn-sessiondb
To display information about VPN sessions, use the show vpn-sessiondb command in privileged EXEC mode. The command includes options for displaying information in full or in detail, lets you specify type of sessions to display, and provides options to filter and sort the information. The syntax table and usage notes organize the choices accordingly.
show vpn-sessiondb [detail] [full] {remote | l2l | index indexnumber | webvpn | email-proxy} [filter {name username | ipaddress IPaddr | a-ipaddress IPaddr | p-ipaddress IPaddr | tunnel-group groupname | protocol protocol-name | encryption encryption-algo}]
--------------------
[sort {name | ipaddress | a-ipaddress | p-ip address | tunnel-group | protocol | encryption}]
Viewing SSL VPN Sessions
You can view information about active sessions using the show vpn-sessiondb command in privileged EXEC mode:
show vpn-sessiondb svc
The following example shows the output of the show vpn-sessiondb svc command:
hostname# show vpn-sessiondb svcSession Type: SSL VPN ClientUsername : leeIndex : 1 IP Addr : 209.165.200.232Protocol : SSL VPN Client Encryption : 3DESHashing : SHA1 Auth Mode : userPasswordTCP Dst Port : 443 TCP Src Port : 54230Bytes Tx : 20178 Bytes Rx : 8662Pkts Tx : 27 Pkts Rx : 19Client Ver : Cisco STC 1.1.0.117Client Type : Internet ExplorerGroup : DfltGrpPolicyLogin Time : 14:32:03 UTC Wed Mar 20 2007Duration : 0h:00m:04sFilter Name :Logging Off SVC Sessions
To log off all SSL VPN sessions, use the vpn-sessiondb logoff svc command in global configuration mode:
vpn-sessiondb logoff svc
The following example logs off all SSL VPN sessions:
hostname# vpn-sessiondb logoff svcINFO: Number of sessions of type "svc" logged off : 1You can log off individual sessions using either the name option, or the index option:
vpn-session-db logoff name name
vpn-session-db logoff index index
You can find both the username and the index number (established by the order of the client images) in the output of the show vpn-sessiondb svc command. The following example shows the username lee and index number 1.
hostname# show vpn-sessiondb svcSession Type: SSL VPN ClientUsername : leeIndex : 1 IP Addr : 209.165.200.232Protocol : SSL VPN Client Encryption : 3DESHashing : SHA1 Auth Mode : userPasswordTCP Dst Port : 443 TCP Src Port : 54230Bytes Tx : 20178 Bytes Rx : 8662Pkts Tx : 27 Pkts Rx : 19Client Ver : Cisco STC 1.1.0.117Client Type : Internet ExplorerGroup : DfltGrpPolicyLogin Time : 14:32:03 UTC Wed Mar 26 2007Duration : 0h:00m:04sFilter Name :The following example terminates the session using the name option of the vpn-session-db logoff command:
hostname# vpn-sessiondb logoff name testerDo you want to logoff the VPN session(s)? [confirm]INFO: Number of sessions with name "mkrupp" logged off : 0hostname#vpn-sessiondb logoff
To log off all or selected VPN sessions, use the vpn-sessiondb logoff command in global configuration mode.
vpn-sessiondb logoff {remote | l2l | webvpn | email-proxy | protocol protocol-name | name username | ipaddress IPaddr | tunnel-group groupname | index indexnumber | all}
Syntax Description
--------------------
Similarly, you can use the vpn-sessiondb logoff svc command in order to terminate all the SVC sessions.
I find using the ASDM more accurate and less error prone if you are novice. It also gives you a summary of the login statistics at a glance.
One is to use the GUI – Cisco’s ASDM and the other by using good old CLI.
On ASDM (Version 6.2)
- Click on the monitoring tab.
- Under VPN statistics, select sessions
- On the right drop down box where it says “Filter By” select IPsec Remote Access or if you are using SSL Client/Clientless VPN select the one of your choice.
- Click the Logout button!
For getting details of all VPN sessions on cisco ASA box please use following :
- ciscoasa# show vpn-sessiondb summary
- Active Session Summary
- Sessions:
- Active : Cumulative : Peak Concurrent
- SSL VPN : 0 : 4 : 2
- Clientless only : 0 : 4 : 2
- With client : 0 : 0 : 0
- Email Proxy : 0 : 0 : 0
- IPsec LAN-to-LAN : 0 : 0 : 0
- IPsec Remote Access : 0 : 877 : 3
- Totals : 0 : 881
- License Information:
- IPsec : 10 Configured : 10 Active : 0 Load : 0%
- SSL VPN : 2 Configured : 2 Active : 2 Load : 100%
- Total : 12 Configured : 12 Active : 2 Load : 17%
- Active : Cumulative : Peak Concurrent
- IPsec : 0 : 877 : 3
- SSL VPN : 2 : 6 : 2
- Totals : 2 : 883
- Tunnels:
- Active : Cumulative : Peak Concurrent
- IKE : 0 : 877 : 3
- IPsec : 0 : 159 : 1
- IPsecOverNatT : 0 : 611 : 2
- L2TPOverIPsec : 0 : 90 : 1
- L2TPOverIPsecOverNatT : 0 : 404 : 2
- Clientless : 0 : 4 : 2
- Totals : 0 : 2145
- Active NAC Sessions:
- No NAC sessions to display
- Active VLAN Mapping Sessions:
- No VLAN Mapping sessions to display
- ciscoasa#
Hope it Helps. !!!
02-10-2012 08:49 AM
sachinga.hcl,
I appreciate your thorough answer and how to manage granularity on the other type of VPN sessions(remote users and SSL sessions). Unfortunately, it is not that granular on "l2l" sessions. Just to bring it up, the functionality is not there yet just logoff just session "Tunnel ID : 107.3" shown as an example in my first post on this thread,
Thanks anyway for taking the time compose a long reply . Now I now even more about how to manage the other type of sessions.
John
02-10-2012 10:58 AM
You can try to clear a particular tunnel ID inbound spi value. Try this command on ASA
# clear crypto ipsec sa entry 2.2.2.2 esp 0.fffffffff
Here 2.2.2.2 is the peer address and 0.ffffffff is the value for spi which can be taken from the following command.
# sh cry ipsec sa
You will see inbound and outbound spi for every cryoto access list.
Let me know if it works
Varinder
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide