Cisco ASA Series Cli Configuration Manual page 1566

Configuring Certificate Group Matching for IKEv1
To enable IPsec over TCP for IKEv1 globally on the ASA, perform the following command in either
single or multiple context mode:
crypto ikev1 ipsec-over-tcp [port port 1...port0]
This example enables IPsec over TCP on port 45:
hostname(config)# crypto ikev1 ipsec-over-tcp port 45
Waiting for Active Sessions to Terminate Before Rebooting
You can schedule an ASA reboot to occur only when all active sessions have terminated voluntarily. This
feature is disabled by default.
To enable waiting for all active sessions to voluntarily terminate before the ASA reboots, perform the
following site-to-site task in either single or multiple context mode:
crypto isakmp reload-wait
For example:
hostname(config)# crypto isakmp reload-wait
Use the reload command to reboot the ASA. If you set the reload-wait command, you can use the
reload quick command to override the reload-wait setting. The reload and reload-wait commands are
available in privileged EXEC mode; neither includes the isakmp prefix.
Alerting Peers Before Disconnecting
Remote access or LAN-to-LAN sessions can drop for several reasons, such as an ASA shutdown or
reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.
The ASA can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN clients, and VPN 3002
hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert
decodes the reason and displays it in the event log or in a pop-up pane. This feature is disabled by default.
Qualified clients and peers include the following:
•
•
•
•
To enable disconnect notification to IPsec peers, enter the crypto isakmp disconnect-notify command
in either single or multiple context mode.
For example:
hostname(config)# crypto isakmp disconnect-notify
Configuring Certificate Group Matching for IKEv1
Tunnel groups define user connection terms and permissions. Certificate group matching lets you match
a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate.
Cisco ASA Series CLI Configuration Guide
1-16
Security appliances with Alerts enabled
Cisco VPN clients running Version 4.0 or later software (no configuration required)
VPN 3002 hardware clients running Version 4.0 or later software, with Alerts enabled
VPN 3000 series concentrators running Version 4.0 or later software with Alerts enabled
Chapter 1 Configuring IPsec and ISAKMP