Site-to-Site もしくは リモートアクセス VPN の場合、"clear crypto isakmp sa" と "clear crypto ipsec sa" コマンドで接続中のセッションを切断できますが、AnyConnect とブラウザーベースの Clientless SSL-VPN の場合は、類似の clear コマンドがありません。
代わりに、ASA では様々な種類の VPN セッションを管理する仕組みがよく設計されており、その副産物として vpn-sessiondb logoff という非常に便利なコマンドが存在します。
ciscoasa(config)# vpn-sessiondb logoff ?
exec mode commands/options:
all All sessions
email-proxy Email-Proxy sessions
index Index specific session
ipaddress IP Address specific sessions
l2l IPsec LAN-to-LAN sessions
name Username specific sessions
protocol Protocol specific sessions
remote IPsec Remote Access sessions
svc SSL VPN Client sessions
tunnel-group Tunnel-group sessions
vpn-lb VPN Load Balancing Mgmt sessions
webvpn WebVPN sessions
l2l、remote、svc、webvpn など VPN の種類を指定する以外に、以下のように username を指定してセッションを切断することもできます。
%ASA-2-602303: IPSEC: An outbound remote access SA (SPI= 0x1F979001) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been created.
%ASA-2-602303: IPSEC: An inbound remote access SA (SPI= 0x63A92ED7) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been created.
ciscoasa(config)#
ciscoasa(config)# show vpn-sessiondb remote sort name
Session Type: IPsec
Username : cisco Index : 27
Assigned IP : 192.168.1.1 Public IP : 192.168.89.1
Protocol : IKE IPsec
License : IPsec
Encryption : 3DES Hashing : MD5 SHA1
Bytes Tx : 0 Bytes Rx : 2959
Group Policy : DfltGrpPolicy Tunnel Group : EZVPN
Login Time : 07:36:55 UTC Fri Jul 30 2010
Duration : 0h:00m:17s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# vpn-sessiondb logoff name cisco
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "cisco" logged off : 1
%ASA-4-113019: Group = EZVPN, Username = cisco, IP = 192.168.89.1, Session disconnected. Session Type: IPsec, Duration: 0h:00m:27s, Bytes xmt: 0, Bytes rcv: 2959, Reason: Administrator Reset
%ASA-2-602304: IPSEC: An inbound remote access SA (SPI= 0x63A92ED7) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been deleted.
%ASA-2-602304: IPSEC: An outbound remote access SA (SPI= 0x1F979001) between 192.168.89.100 and 192.168.89.1 (user= cisco) has been deleted.