Cisco ASA Series Configuration Manual page 100
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Guidelines for Cisco TrustSec
Example:
hostname(config)# cts sxp default password 8 IDFW-TrustSec-99
Configuring an encryption level for the password is optional. If you configure an encryption level, you
can only set one level:
Level 0—unencrypted cleartext
•
Level 8—encrypted text
•
The password argument specifies an encrypted string of up to 162 characters or an ASCII key string up
to 80 characters.
Specify the default time interval between ASA attempts to set up new SXP connections between SXP
Step 4
peers.
cts sxp retry period timervalue
Example:
hostname(config)# cts sxp retry period 60
The ASA continues to make connection attempts until a successful connection is made. The retry timer
is triggered as long as there is one SXP connection on the ASA that is not up.
The timervalue argument ranges from 0 to 64000 seconds. The default is 120 seconds. If you specify 0
seconds, the timer never expires and the ASA does not try to connect to SXP peers.
When the retry timer expires, the ASA goes through the connection database and if the database contains
any connections that are off or in a "pending on" state, the ASA restarts the retry timer.
We recommend that you configure the retry timer to a different value from its SXP peer devices.
Step 5
Specify the value of the default reconcile timer.
cts sxp reconciliation period timervalue
Example:
hostname(config)# cts sxp reconciliation period 60
After an SXP peer terminates its SXP connection, the ASA starts a hold-down timer.
If an SXP peer connects while the hold-down timer is running, the ASA starts the reconcile timer; then
the ASA updates the SXP mapping database to learn the latest mapping.
When the reconcile timer expires, the ASA scans the SXP mapping database to identify stale mapping
entries (which were learned in a previous connection session). The ASA marks these connections as
obsolete. When the reconcile timer expires, the ASA removes the obsolete entries from the SXP mapping
database.
The timervalue argument ranges from 1 to 64000 seconds. The default is 120 seconds.
You cannot specify 0 seconds for the timer, because this value prevents the reconcile timer from starting.
Not allowing the reconcile timer to run would keep stale entries for an undefined time and cause
unexpected results from policy enforcement.
Examples
The following example shows how to set default values for SXP:
hostname(config)# cts sxp enable
hostname(config)# cts sxp default source-ip 192.168.1.100
hostname(config)# cts sxp default password 8 ********
Cisco ASA Series Firewall CLI Configuration Guide
6-18
Chapter 6
ASA and Cisco TrustSec
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
