6-7
Cisco AnyConnect VPN Client Administrator Guide
OL-12950-012
Chapter 6 Configuring AnyConnect Features Using CLI
Configuring, Enabling, and Using Other AnyConnect Features
[no] svc rekey {method {new-tunnel | none | ssl} | time minutes}
method new-tunnel specif
ies that the client establishes a new tunnel during rekey.
method none disabl
es rekey.
method ssl sp
ecifies that SSL renegotiation takes place during rekey.
time min
utes specifies the number of minutes from the start of the session or from the last rekey until
the next rekey takes place, from 1 to 10080 (1 week).
In the following example, the client is configured t
o renegotiate with SSL during rekey, which takes
place 30 minutes after the session begins, for the existing group-policy sales:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# web
vpn
hostname(config-group-policy)# svc
rekey method ssl
hostname(config-group-policy)# svc
rekey time 30
Note The security appliance does not currently support inline DTLS rekey. The AnyConnect client, therefore,
treats all DTLS rekey events as though they were of the new tunnel method instead of the inline ssl type
(CSC93610).
Enabling and Adjusting Dead Peer Detection
Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect
a condition where the peer is not responding, and the connection has failed.
Note When using the AnyConnect client with DTLS on security appliance, Dead Peer Detection must be
enabled in the group policy on the ASA to allow the AnyConnect client to fall back to TLS, if necessary.
Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the
DPD mechanism is necessary for fallback to occur.
To enable DPD on the security appliance or client for a specific group or user, and to set the frequency
with which either the security appliance or client performs DPD, use the svc dpd-interval command
from group-policy or username webvpn mode:
svc dpd-interval {[ga
teway {seconds | none}] | [client {seconds | none}]}
no svc dpd-interval {[ga
teway {seconds | none}] | [client {seconds | none}]}
Where:
gateway sec
onds enables DPD performed by the security appliance (gateway) and specifies the
frequency, from 30 to 3600 seconds, with which the security appliance (gateway) performs DPD.
gateway none disa
bles DPD performed by the security appliance.
client s
econds enable DPD performed by the client, and specifies the frequency, from 30 to 3600
seconds, with which the client performs DPD.
client none disabl
es DPD performed by the client.
To remove the svc dpd-i
nterval command from the configuration, use the no form of the command:
The following example sets the frequency of DPD performed by the security appliance to 30 seconds,
and
the frequency of DPD performed by the client set to 10 seconds for the existing group-policy sales:
hostname(config)# group-policy sales attributes
To Next Page
Loading...
Need help?
General