Chapter 38
Configuring AnyConnect VPN Client Connections
Configuring Advanced SSL VPN Features
The following section describes advanced features that fine-tune SSL VPN connections, and includes
the following sections:
•
•
•
•
•
•
•
•
Enabling Rekey
When the security appliance and the SSL VPN client perform a rekey, they renegotiate the crypto keys
and initialization vectors, increasing the security of the connection.
To enable the client to perform a rekey on an SSL VPN connection for a specific group or user, use the
svc rekey command from group-policy and username webvpn modes.
method new-tunnel specifies that the client establishes a new tunnel during rekey.
method none disables rekey.
method ssl specifies that SSL renegotiation takes place during rekey.
time minutes specifies the number of minutes from the start of the session, or from the last rekey, until
the rekey takes place, from 1 to 10080 (1 week).
In the following example, the client is configured to renegotiate with SSL during rekey, which takes
place 30 minutes after the session begins, for the existing group-policy sales:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# svc rekey method ssl
hostname(config-group-policy)# svc rekey time 30
Enabling and Adjusting Dead Peer Detection
Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect
a condition where the peer is not responding, and the connection has failed.
To enable DPD on the security appliance or client for a specific group or user, and to set the frequency
with which either the security appliance or client performs DPD, use the svc dpd-interval command
from group-policy or username webvpn mode:
Where:
OL-12172-03
Enabling Rekey, page 38-13
Enabling and Adjusting Dead Peer Detection, page 38-13
Enabling Keepalive, page 38-14
Using Compression, page 38-15
Adjusting MTU Size, page 38-15
Viewing SSL VPN Sessions, page 38-16
Logging Off SVC Sessions, page 38-16
Updating SSL VPN Client Images, page 38-17
[no] svc rekey {method {new-tunnel | none | ssl} | time minutes}
svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
no svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
Configuring Advanced SSL VPN Features
Cisco Security Appliance Command Line Configuration Guide
38-13