10-16-2018 02:17 PM - edited 02-21-2020 08:21 AM
How to shut down ASA Site to Site VPN tunnel without removing it? I only want to temporarily shut down the VPN tunnel for testing on another firewall, since the peers have similar interesting traffic, but I don't want to remove the existing VPN tunnel, just shut down temporarily.
This is an old ASA 5510
Solved! Go to Solution.
10-16-2018 02:28 PM
10-16-2018 02:28 PM
10-16-2018 02:33 PM
Thanks! Yah, that's not what I want to do, as I have two other active tunnels that I cannot bring down, I only want to bring down the one tunnel.
10-16-2018 02:48 PM
10-16-2018 02:56 PM
I got an error trying to remove the acls , said it was in use. I'll have to try again tomorrow.
10-16-2018 03:43 PM
remove the peer IP address, or even put a temporary deny on ISAKMp and ESP from a certain public IP, so the attempts to negotiate a tunnel from the remote end get denied by your ACL (put a specific deny, obove the rule that allows port 500 and ESP) and enable/disable for testing purposes
10-17-2018 04:39 AM
Hello,
Change the pre-shared key
10-17-2018 05:25 AM
Remove the match statement from crypto map. ASA wont allow you to remove the ACL itself without removing all the references.
So if your crypto map is as below:
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set ikev1 transform-set FirstSet
hostname(config)# crypto map abcmap 1 set ikev2 ipsec-proposal secure
hostname(config)# crypto map abcmap interface outside
Do a "no crypto map abcmap 1 match address l2l_list" to remove the match entry from the crypto map.
10-19-2018 06:33 AM
Hello,
An easier way out.
Disable the ACL by making it inactive, This way there will be no active traffic running through the tunnel and the tunnel will be down.
e.g access-list ACL-VPN extended permit ip any any inactive
This will prevent unnecessary complexities and mistakes that may arise from removing and putting back your VPN parameters.
10-19-2018 07:47 AM
10-25-2018 09:01 AM
I did
conf t
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide