cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2964
Views
0
Helpful
1
Replies
Beginner

ASA 8.2 vpn-filter for l2l connections

I have a vpn-filter set on my L2L policy. The remote site uses a Cisco 1811 router and the main hub is a Cisco 5580. I already have a vpn-filter acl in place on an existing L2L connection that works fine. The only issue is, when I make changes to the acl to add/remove access, I have to reload the entire tunnel before the changes take place.

My question is, is there a command to reload the access control without dropping the tunnel?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ASA 8.2 vpn-filter for l2l connections

Hi Jeffrey,

By design whenever any changes are made in the group-policy attributes (including vpn-filter, dns wins ip or vpn-protocol etc), you have to reset the respective tunnel so that phase 2 negotiates with the newly added policies. The command to clear a specific tunnel is :-

clear crypto ipsec sa peer

For further details on the command, please do refer the link below

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2133652

So, to answer your query No there is no such command to reset access control. Had there been any such command you would still have to reset the tunnel to trigger the ipsec negotiations with new group-policy parameters.

HTH...

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Re: ASA 8.2 vpn-filter for l2l connections

Hi Jeffrey,

By design whenever any changes are made in the group-policy attributes (including vpn-filter, dns wins ip or vpn-protocol etc), you have to reset the respective tunnel so that phase 2 negotiates with the newly added policies. The command to clear a specific tunnel is :-

clear crypto ipsec sa peer

For further details on the command, please do refer the link below

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2133652

So, to answer your query No there is no such command to reset access control. Had there been any such command you would still have to reset the tunnel to trigger the ipsec negotiations with new group-policy parameters.

HTH...

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post