Table of Contents
Advertisement
SSG Autologoff
SSG Autologoff
The SSG Autologoff feature enables SSG to verify connectivity with each host. SSG checks the status
of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG
automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of
hosts: ARP ping and ICMP ping.
ARP ping
When autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table
entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a
configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any
data traffic to or from the host occurred during the interval, SSG does not ping the host because the
reachability of the host during that interval was established by the data traffic. ARP ping works in
deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface
such as an Ethernet interface or through a bridged interface such as an RBE interface.
ICMP ping
When SSG autologoff is configured to use ICMP ping, SSG pings the host to check connectivity until
an ICMP response is obtained or the allowable number of tries is used up. If all the tries are used up and
the ping was unsuccessful, then SSG initiates logoff for that host. SSG uses ICMP ping one time at each
configured interval. If data traffic to or from the host is found during the interval, SSG does not ping the
host because reachability was established by the data traffic. ICMP ping works in all types of deployment
scenarios and supports overlapping IP users.
Restrictions for SSG Autologoff
The SSG Autologoff feature has the following restrictions:
•
•
•
•
•
•
Configuration of SSG Autologoff
To configure the SSG Autologoff feature, use the ssg auto-logoff command in global configuration
mode. For more information, refer to the
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
3-2
Use only one method of SSG autologoff at a time: ARP ping or ICMP ping.
Use ARP ping only in deployment scenarios in which all hosts are directly connected to the SSG
through a broadcast interface such as an Ethernet interface or through a bridged interface such as an
RBE interface. ICMP ping works in all types of deployment scenarios.
ARP ping works only on hosts that have a MAC address.
ARP ping does not support overlapping IP addresses.
SSG autologoff that uses ARP ping does not work for hosts with static ARP entries.
If you configure both the idle timers and ICMP-based autologoff, you must set the autologoff
interval to a value that is at least twice as long as the idle timeout interval. Otherwise, the
ICMP messages reset the idle timer and the user is only logged out if the user does not respond to
the ICMP ping.
SSG Autologoff, Release 12.2(4)B feature
Chapter 3
SSG Logon and Logoff
module.
OL-4387-02
Advertisement
Table of Contents
