Showing results for 
Search instead for 
Did you mean: 

What is the recommendable way to decommission of vpn tunnel of branch?

DaeHeon Kang



I am seeking for the best way to decommission of vpn tunnel of the branch closed.

The VPN setup is established using Dynamic crypto map on DC site.

Each branch site is assigned with /24 subnet inside the LAN.

ex> Branch_1(, Branch_2(, Branch_3(, Branch_4(

Branch subnets are grouped and assigned to the ACL for the VPN interesting traffic on DC site VPN setup.

ex> ip access-list branch-vpn 

         permit ip

I need to decommission vpn tunnels to some closed branches on DC site.

I was thinking of modifying the branch-vpn ACL to do this.( adding earlier deny ip 0.0.255 [closed branch subnet] before permit ip

Will it be ok 


Is there any better and recommendable way to do this? 




4 Replies 4

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@DaeHeon Kang 

If you are de-commissioning the branch, why can you not just unconfigure the VPN on the branch router/ASA? The VPN would never attempt to establish.


On the DC router/ASA, you could change the Pre-Shared Key of the Branch that has been de-commissioned.

Hi Rob,


This decommission job requires both sides(Branch and DC).

@DaeHeon Kang 

You said you've got a dynamic crypto map at the DC, in this instance only the spoke (branch) can initiate a tunnel. Never the other way around. So by decommissioning the branch, the hub won't attempt to build a tunnel. If you use unique PSK per branch spoke, then remove this from the hub.

@Rob Ingram 

What if I modify the ACL as I mentioned on my post?

Would it be working?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers