Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Disconnect a VPN Client user from a PIX running 6.2(2)?

Hi everyone. Is there an easy way to disconnect a remote VPN Client user who's terminating on a PIX running 6.2(2)?

I haven't seen an easy way to go about doing it. In our case, we give vendors temporary access to our network through the use of the VPN Client. One vendor in particular didn't disconnect their session after they finished, so I tried to manually close it from the PIX.

Our VPN Clients authenticate first to the vpngroup, and then xauth to a radius server.

I had cleared the uauth information on the PIX for the login, changed the radius password and cleared his IPSec associations. Yet they still managed to reconnect without any problems.

Next I changed the group password. Still they were able to reconnect. I even completely removed the vpngroup, yet they are still connected to our network.

Am I missing something here, or just going crazy?



New Member

Re: Disconnect a VPN Client user from a PIX running 6.2(2)?

You could manually clear the SA's using the clear crypto isakmp sa and clear crypto ipsec sa commands (though I don't think they'll help you much). By clearing the group itself, you cleared the group password which is the preshare key that is used in tunnel negotiation. There is no way that the tunnel could still be getting established. If I were you, I would definately look at rebooting the system.

New Member

Re: Disconnect a VPN Client user from a PIX running 6.2(2)?

Unfortuneatly, 'clear isakmp sa' clears ALL isakmp associations. I have alot of pix-to-pix connections on here as well and can't disconnect them while I'm trying to boot the one individual.

I had cleared out the IPSec sa associations that were setup for his IP Address, but he would re-establish the connection after 30 seconds or so.

Rebooting is also a non option because of my offices connected through it.

Thanks for the input.

CreatePlease to create content