ASA のコマンドラインから VPN セッションを切断する

Document

Jul 30, 2010 3:18 AM
Jul 30th, 2010

Site-to-Site もしくは リモートアクセス VPN の場合、"clear crypto isakmp sa" と "clear crypto ipsec sa" コマンドで接続中のセッションを切断できますが、AnyConnect とブラウザーベースの Clientless SSL-VPN の場合は、類似の clear コマンドがありません。

代わりに、ASA では様々な種類の VPN セッションを管理する仕組みがよく設計されており、その副産物として vpn-sessiondb logoff という非常に便利なコマンドが存在します。

ciscoasa(config)# vpn-sessiondb logoff ?

exec mode commands/options:
  all           All sessions
  email-proxy   Email-Proxy sessions
  index         Index specific session
  ipaddress     IP Address specific sessions
  l2l           IPsec LAN-to-LAN sessions
  name          Username specific sessions
  protocol      Protocol specific sessions
  remote        IPsec Remote Access sessions
  svc           SSL VPN Client sessions
  tunnel-group  Tunnel-group sessions
  vpn-lb        VPN Load Balancing Mgmt sessions
  webvpn        WebVPN sessions

l2l、remote、svc、webvpn など VPN の種類を指定する以外に、以下のように username を指定してセッションを切断することもできます。


%ASA-2-602303: IPSEC: An outbound remote access SA (SPI= 0x1F979001) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been created.
%ASA-2-602303: IPSEC: An inbound remote access SA (SPI= 0x63A92ED7) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been created.

ciscoasa(config)#
ciscoasa(config)# show vpn-sessiondb remote sort name

Session Type: IPsec

Username     : cisco                  Index        : 27
Assigned IP  : 192.168.1.1            Public IP    : 192.168.89.1
Protocol     : IKE IPsec
License      : IPsec
Encryption   : 3DES                   Hashing      : MD5 SHA1
Bytes Tx     : 0                      Bytes Rx     : 2959
Group Policy : DfltGrpPolicy          Tunnel Group : EZVPN
Login Time   : 07:36:55 UTC Fri Jul 30 2010
Duration     : 0h:00m:17s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# vpn-sessiondb logoff name cisco    
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "cisco" logged off : 1

%ASA-4-113019: Group = EZVPN, Username = cisco, IP = 192.168.89.1, Session disconnected. Session Type: IPsec, Duration: 0h:00m:27s, Bytes xmt: 0, Bytes rcv: 2959, Reason: Administrator Reset
%ASA-2-602304: IPSEC: An inbound remote access SA (SPI= 0x63A92ED7) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been deleted.
%ASA-2-602304: IPSEC: An outbound remote access SA (SPI= 0x1F979001) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been deleted.

Average Rating: 3 (1 ratings)

Actions

Login or Register to take actions

This Document

Posted July 30, 2010 at 3:18 AM
Stats:
Comments:0 Avg. Rating:3
Views:2476 Contributors:0
Shares:0
Tags: No tags.