Waiting For Active Sessions To Terminate Before Rebooting - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 27 Configuring IPSec and ISAKMP

Waiting for Active Sessions to Terminate Before Rebooting

You can schedule a security appliance reboot to occur only when all active sessions have terminated
voluntarily. This feature is disabled by default.
To enable waiting for all active sessions to voluntarily terminate before the security appliance reboots,
enter the following command:
crypto isakmp reload-wait
For example:
hostname(config)# crypto isakmp reload-wait
Use the reload command to reboot the security appliance. If you set the reload-wait command, you can
use the reload quick command to override the reload-wait setting. The reload and reload-wait
commands are available in privileged EXEC mode; neither includes the isakmp prefix.
Alerting Peers Before Disconnecting
Remote access or LAN-to-LAN sessions can drop for several reasons, such as: a security appliance
shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.
The security appliance can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN clients
and VPN 3002 hardware clients of sessions that are about to be disconnected. The peer or client
receiving the alert decodes the reason and displays it in the event log or in a pop-up pane. This feature
is disabled by default.
Qualified clients and peers include the following:
•
•
•
•
To enable disconnect notification to IPSec peers, enter the crypto isakmp disconnect-notify command.
For example:
hostname(config)# crypto isakmp disconnect-notify
Configuring Certificate Group Matching
Tunnel groups define user connection terms and permissions. Certificate group matching lets you match
a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate.
To match users to tunnel groups based on these fields of the certificate, you must first create rules that
define a matching criteria, and then associate each rule with the desired tunnel group.
To create a certificate map, use the crypto ca certificate map command. To define a tunnel group, use
the tunnel-group command.
You must also configure a certificate group matching policy that sets one of the following methods for
identifying the permission groups of certificate users:
•
OL-10088-01
Security appliances with Alerts enabled.
Cisco VPN clients running version 4.0 or later software (no configuration required).
VPN 3002 hardware clients running version 4.0 or later software, and with Alerts enabled.
VPN 3000 series concentrators running version 4.0 or later software, with Alerts enabled.
Match the group from the rules
Cisco Security Appliance Command Line Configuration Guide
Configuring Certificate Group Matching
27-9