Solved: How to shut down ASA Site to Site VPN tunnel without removing it

rmorenobb · ‎10-16-2018

How to shut down ASA Site to Site VPN tunnel without removing it? I only want to temporarily shut down the VPN tunnel for testing on another firewall, since the peers have similar interesting traffic, but I don't want to remove the existing VPN tunnel, just shut down temporarily.

This is an old ASA 5510

crypto map XXCryptoMap 16 set peer 1.1.1.1 2.2.2.2

crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA

crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

asafirewall01# sh access-list OO_temp_XXCryptoMap16

access-list OO_temp_XXCryptoMap16; 2 elements; name hash: 0xe3fb223a (dynamic)

access-list OO_temp_XXCryptoMap16 line 1 extended permit ip host 10.0.1.2 host 1.1.1.1 (hitcnt=1815) 0x27ad149d

access-list OO_temp_XXCryptoMap16 line 2 extended permit ip host 10.0.1.3 host 2.2.2.2 (hitcnt=2) 0x1d4b9726

peer address: 1.1.1.1

Crypto map tag: XXCryptoMap, seq num: 16, local addr: 10.0.1.2

access-list OO_temp_XXCryptoMap16 extended permit ip host 10.0.1.2 host 1.1.1.1

local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

current_peer: 1.1.1.1

#pkts encrypt: 0, #pkts digest: 0

#pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/0, remote crypto endpt.:2.2.2.2/0

path mtu 1500, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 7ACD4800

current inbound spi : 72AF7097

inbound esp sas:

spi: 0x72AF7097 (1924100247)

transform: esp-aes esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }

slot: 0, conn_id: 63479808, crypto-map: BBCryptoMap

sa timing: remaining key lifetime (kB/sec): (4374000/27260)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x7ACD4800 (2060273664)

transform: esp-aes esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }

slot: 0, conn_id: 63479808, crypto-map: BBCryptoMap

sa timing: remaining key lifetime (kB/sec): (4374000/27260)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Rob Ingram · ‎10-16-2018

Hi,
You could disable the crypto map on the outside interface. E.g - "no crypto map XXCryptoMap interface OUTSIDE" <- assuming OUTSIDE is the name of your outside interface. Of course, that would disable all VPN's on that interface, if you have any others?

HTH

View solution in original post

Rob Ingram · ‎10-16-2018

Hi,
You could disable the crypto map on the outside interface. E.g - "no crypto map XXCryptoMap interface OUTSIDE" <- assuming OUTSIDE is the name of your outside interface. Of course, that would disable all VPN's on that interface, if you have any others?

HTH

rmorenobb · ‎10-16-2018

Thanks! Yah, that's not what I want to do, as I have two other active tunnels that I cannot bring down, I only want to bring down the one tunnel.

Rob Ingram · ‎10-16-2018

Ok. When you removed the ACL did you clear the SAs (assuming they were already active)?
How are you routing the traffic?...if no interesting traffic is even routed via that firewall the tunnel would not establish.

rmorenobb · ‎10-16-2018

I got an error trying to remove the acls , said it was in use. I'll have to try again tomorrow.

Dennis Mink · ‎10-16-2018

remove the peer IP address, or even put a temporary deny on ISAKMp and ESP from a certain public IP, so the attempts to negotiate a tunnel from the remote end get denied by your ACL (put a specific deny, obove the rule that allows port 500 and ESP) and enable/disable for testing purposes

Please remember to rate useful posts, by clicking on the stars below.

ramatoulaye.hane1 · ‎10-17-2018

Hello,

Change the pre-shared key

Rahul Govindan · ‎10-17-2018

Remove the match statement from crypto map. ASA wont allow you to remove the ACL itself without removing all the references.

So if your crypto map is as below:

hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set ikev1 transform-set FirstSet
hostname(config)# crypto map abcmap 1 set ikev2 ipsec-proposal secure
hostname(config)# crypto map abcmap interface outside

Do a "no crypto map abcmap 1 match address l2l_list" to remove the match entry from the crypto map.

adedipeopeoluwa · ‎10-19-2018

Hello,

An easier way out.

Disable the ACL by making it inactive, This way there will be no active traffic running through the tunnel and the tunnel will be down.

e.g access-list ACL-VPN extended permit ip any any inactive

This will prevent unnecessary complexities and mistakes that may arise from removing and putting back your VPN parameters.

vsurresh · ‎10-19-2018

Hello,

You can simply remove just the set peer line and re-add it after the testing.

rmorenobb · ‎10-25-2018

I did

conf t

no crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA

no crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

that took the tunnel down

and when I was done testing, i added the lines back to bring the tunnel back up

conf t

crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA

crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

So thank you! It worked nicely.