Webvpn Tunnel-Group Connection Parameters - Cisco FirePOWER ASA 5500 series Configuration Manual

Tunnel Groups
Note
Note
•
•
•

WebVPN Tunnel-Group Connection Parameters

The following attributes are specific to WebVPN connections:
•
•
•
Cisco Security Appliance Command Line Configuration Guide
30-4
Cisco VPN 3000 Client (Release 2.x)
–
Cisco VPN 3002 Hardware Client
–
Cisco VPN 3000 Series Concentrators
–
Cisco IOS software
–
Cisco Secure PIX Firewall
–
Non-Cisco VPN clients do not support IKE keepalives.
If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and
others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that
do not support it.
If you disable IKE keepalives, connections with unresponsive peers remain active until they time
out, so we recommend that you keep your idle timeout short. To change your idle timeout, see
"Configuring Group Policies" section on page
To reduce connectivity costs, disable IKE keepalives if this group includes any clients
connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalive
mechanism prevents connections from idling and therefore from disconnecting.
If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys
expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it
does when IKE keepalives are enabled.
If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers
have the same IKE keepalive configuration. Both peers must have IKE keepalives enabled or
both peers must have it disabled.
If you configure authentication using digital certificates, you can specify whether to send the entire
certificate chain (which sends the peer the identity certificate and all issuing certificates) or just the
issuing certificates (including the root certificate and any subordinate CA certificates).
You can notify users who are using outdated versions of Windows client software that they need to
update their client, and you can provide a mechanism for them to get the updated client version. For
VPN 3002 hardware client users, you can trigger an automatic update. You can configure and change
the client-update, either for all tunnel groups or for particular tunnel groups.
If you configure authentication using digital certificates, you can specify the name of the trustpoint
that identifies the certificate to send to the IKE peer.
The authentication method, either AAA or certificate.
The name of the customization to apply. Customizations determine the appearance of the windows
that the user sees upon login. You configure the customization parameters as part of configuring
WebVPN.
The DNS server-group name. The DNS server group specifies the DNS server name, domain name,
name server, number of retries, and timeout values for a DNS server to use for a tunnel group.
Chapter 30 Configuring Tunnel Groups, Group Policies, and Users
30-33.
OL-10088-01