topic Re: ASA Tunnel-Group | Client Address Pool in Network Security

ASA Tunnel-Group | Client Address Pool

zekebash — Tue, 25 Jan 2022 23:22:11 GMT

Hello,

I created two ip local pools (ip_pool_CorpUsr and ip_pool_GuestUsr) and specified the IP range for each pool. Secondly, I assigned ip_pool_CorpUsr to tunnel-group CorpUsers and ip_pool_GuestUsr to tunnel-group Guests. This configuration is working just fine in the production environment.

tunnel-groups:

- CorpUsers

- Guests

ip pools:

- ip_pool_CorpUsr

- ip_pool_GuestUsr

I was trying to modify the ip pool ranges, so I tired to test in the lab by assigning different ip pools between the tunnel-groups and encountered an issue.

Here is what I was trying to do:

- I added ip_pool_CorpUsr to the tunnel-group Guests

- I tried to remove this ip pool (ip_pool_CorpUsr) from the Guests tunnel-group, but, then, I received the following error message:

"ERROR: Address pool ip_pool_CorpUsr is in use.
ERROR: Some addresses in the pool are still in use by VPN,can't remove it."

I don't understand why I am receiving this error message if I was simply trying to remove an ip pool that is used by a different tunnel-group (CorpUsers) rom a tunnel-group (Guests) that's using a different ip pool (ip_pool_GuestUsr).

Any thoughts?

Thanks in advance.

Best, ~zK

Re: ASA Tunnel-Group | Client Address Pool

Udupi Krishna. — Wed, 26 Jan 2022 04:12:36 GMT

This is an expected behaviour if there are users utilising IP address from this pool even though its not the same tunnel group/group policy.

Only way is to force log off all the users and remove the configuration. This is documented on bug - CSCvn69188

Re: ASA Tunnel-Group | Client Address Pool

skhirbash — Thu, 27 Jan 2022 13:34:08 GMT

Thanks for the info. This is really helpful. I was wondering if there was a command to disconnect all the VPN active users without resorting to reloading the ASA. Is there such a command?

Thanks in advance.

Best, ~ zK

Re: ASA Tunnel-Group | Client Address Pool

Rob Ingram — Thu, 27 Jan 2022 13:38:37 GMT

@skhirbash you can use the "vpn-sessiondb logoff" command, just append any of the options below

> vpn-sessiondb logoff
all                     All sessions
anyconnect       AnyConnect sessions
index                 Index specific session
ipaddress        IP Address specific sessions
l2l IPsec            LAN-to-LAN sessions
name               Username specific sessions
protocol             Protocol specific sessions
ra-ikev1-ipsec   IKEv1 IPsec Remote Access sessions
ra-ikev2-ipsec   Generic IKEv2 IPsec Remote Access sessions
tunnel-group      Tunnel-group sessions
vpn-lb VPN        Load Balancing Mgmt sessions
webvpn              WebVPN sessions

If you want to logoff all users use the command "vpn-sessiondb logoff all"

Re: ASA Tunnel-Group | Client Address Pool

Mike.Cifelli — Fri, 28 Jan 2022 12:52:35 GMT

You also have the ability to log off VPN users in ASDM: Monitoring->VPN->VPN Statistics->Sessions: from here you have similar options