Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3212
Views
0
Helpful
1
Replies

ASA 8.2 vpn-filter for l2l connections

Go to solution
Jeffrey Warn
Level 1
Level 1

‎05-11-2010 08:16 AM

I have a vpn-filter set on my L2L policy. The remote site uses a Cisco 1811 router and the main hub is a Cisco 5580. I already have a vpn-filter acl in place on an existing L2L connection that works fine. The only issue is, when I make changes to the acl to add/remove access, I have to reload the entire tunnel before the changes take place.

My question is, is there a command to reload the access control without dropping the tunnel?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mopaul
Cisco Employee
Cisco Employee

‎05-11-2010 09:39 AM

Hi Jeffrey,

By design whenever any changes are made in the group-policy attributes (including vpn-filter, dns wins ip or vpn-protocol etc), you have to reset the respective tunnel so that phase 2 negotiates with the newly added policies. The command to clear a specific tunnel is :-

clear crypto ipsec sa peer

For further details on the command, please do refer the link below

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2133652

So, to answer your query No there is no such command to reset access control. Had there been any such command you would still have to reset the tunnel to trigger the ipsec negotiations with new group-policy parameters.

HTH...

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mopaul
Cisco Employee
Cisco Employee

‎05-11-2010 09:39 AM

Hi Jeffrey,

By design whenever any changes are made in the group-policy attributes (including vpn-filter, dns wins ip or vpn-protocol etc), you have to reset the respective tunnel so that phase 2 negotiates with the newly added policies. The command to clear a specific tunnel is :-

clear crypto ipsec sa peer

For further details on the command, please do refer the link below

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2133652

So, to answer your query No there is no such command to reset access control. Had there been any such command you would still have to reset the tunnel to trigger the ipsec negotiations with new group-policy parameters.

HTH...

Regards
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents