Cisco ASA Series Command Reference, I - R Commands
l2tp tunnel hello -- log-adjacency-changes
Downloads: This chapterpdf (PDF - 536.0KB) The complete bookPDF (PDF - 8.41MB) | Feedback

Table of Contents

l2tp tunnel hello through log-adjacency-changes Commands

l2tp tunnel hello

lacp max-bundle

lacp port-priority

lacp system-priority

ldap attribute-map

ldap-attribute-map

ldap-base-dn

ldap-defaults

ldap-dn

ldap-group-base-dn

ldap-login-dn

ldap-login-password

ldap-naming-attribute

ldap-over-ssl

ldap-scope

leap-bypass

license

license-server address

license-server backup address

license-server backup backup-id

license-server backup enable

license-server enable

license-server port

license-server refresh-interval

license-server secret

license smart

license smart deregister

license smart register

license smart renew

lifetime (ca server mode)

lifetime (ikev2 policy mode)

limit-resource

lmfactor

local-unit

log

log-adj-changes (OSPFv2)

log-adjacency-changes (OSPFv3)

l2tp tunnel hello through log-adjacency-changes Commands

l2tp tunnel hello

To specify the interval between hello messages on L2TP over IPsec connections, use the l2tp tunnel hello command in global configuration mode. To reset the interval to the default, use the no form of the command:

l2tp tunnel hello interval

no l2tp tunnel hello interval

 
Syntax Description

interval

Interval between hello messages in seconds. The Default is 60 seconds. The range is 10 to 300 seconds.

 
Defaults

The default is 60 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

The l2tp tunnel hello command enables the ASA to detect problems with the physical layer of the L2TP connection. The default is 60 secs. If you configure it to a lower value, connections that are experiencing problems are disconnected earlier.

Examples

The following example configures the interval between hello messages to 30 seconds:

ciscoasa(config)# l2tp tunnel hello 30

 
Related Commands

Command
Description

show vpn-sessiondb detail remote filter protocol L2TPOverIPsec

Displays the details of L2TP connections.

vpn-tunnel-protocol l2tp-ipsec

Enables L2TP as a tunneling protocol for a specific tunnel group.

lacp max-bundle

To specify the maximum number of active interfaces allowed in the EtherChannel channel group, use the lacp max-bundle command in interface configuration mode. To set the value to the default, use the no form of this command.

lacp max-bundle number

no lacp max-bundle

 
Syntax Description

number

Specifies the maximum number of active interfaces allowed in the channel group, between 1 and 8; for 9.2(1) and later, the maximum is rasied to 16. If your switch does not support 16 active interfaces, be sure to set this command to 8 or fewer.

 
Command Default

(9.1 and earlier) The default is 8.

(9.2(1) and later) The default is 16.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.4(1)

We introduced this command.

9.2(1)

We raised the number of active interfaces from 8 to 16.

 
Usage Guidelines

Enter this command for a port-channel interface. The maximum number of active interfaces per channel group is eight; to decrease the number, use this command.

Examples

The following example sets the maximum number of interfaces in the EtherChannel to four:

ciscoasa(config)# interface port-channel 1
ciscoasa(config-if)# lacp max-bundle 4
 

 
Related Commands

Command
Description

channel-group

Adds an interface to an EtherChannel.

interface port-channel

Configures an EtherChannel.

lacp port-priority

Sets the priority for a physical interface in the channel group.

lacp system-priority

Sets the LACP system priority.

port-channel load-balance

Configures the load-balancing algorithm.

port-channel min-bundle

Specifies the minimum number of active interfaces required for the port-channel interface to become active.

show lacp

Displays LACP information such as traffic statistics, system identifier and neighbor details.

show port-channel

Displays EtherChannel information in a detailed and one-line summary form. This command also displays the port and port-channel information.

show port-channel load-balance

Displays port-channel load-balance information along with the hash result and member interface selected for a given set of parameters.

lacp port-priority

To set the priority for a physical interface in an EtherChannel, use the lacp port-priority command in interface configuration mode. To set the priority to the default, use the no form of this command.

lacp port-priority number

no lacp port-priority

 
Syntax Description

number

Sets the priority between 1 and 65535. The higher the number, the lower the priority.

 
Command Default

The default is 32768.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.4(1)

We introduced this command.

 
Usage Guidelines

Enter this command for a physical interface. The ASA uses this setting to decide which interfaces are active and which are standby if you assign more interfaces than can be used. If the port priority setting is the same for all interfaces, then the priority is determined by the interface ID (slot/port). The lowest interface ID is the highest priority. For example, GigabitEthernet 0/0 is a higher priority than GigabitEthernet 0/1.

If you want to prioritize an interface to be active even though it has a higher interface ID, then set this command to have a lower value. For example, to make GigabitEthernet 1/3 active before GigabitEthernet 0/7, then make the lacp port-priority value be 12345 on the 1/3 interface vs. the default 32768 on the 0/7 interface.

If the device at the other end of the EtherChannel has conflicting port priorities, the system priority is used to determine which port priorities to use. See the lacp system-priority command.

The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices. LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention. It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct channel group.

Examples

The following example sets a lower port priority for GigabitEthernet 0/2 so it will be used as part of the EtherChannel ahead of GigabitEthernet 0/0 and 0/1:

ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# channel-group 1 mode active
ciscoasa(config-if)# interface GigabitEthernet0/1
ciscoasa(config-if)# channel-group 1 mode active
ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)# lacp port-priority 1234
ciscoasa(config-if)# channel-group 1 mode active
 

 
Related Commands

Command
Description

channel-group

Adds an interface to an EtherChannel.

interface port-channel

Configures an EtherChannel.

lacp max-bundle

Specifies the maximum number of active interfaces allowed in the channel group.

lacp system-priority

Sets the LACP system priority.

port-channel load-balance

Configures the load-balancing algorithm.

port-channel min-bundle

Specifies the minimum number of active interfaces required for the port-channel interface to become active.

show lacp

Displays LACP information such as traffic statistics, system identifier and neighbor details.

show port-channel

Displays EtherChannel information in a detailed and one-line summary form. This command also displays the port and port-channel information.

show port-channel load-balance

Displays port-channel load-balance information along with the hash result and member interface selected for a given set of parameters.

lacp system-priority

For EtherChannels, to set the LACP system priority globally for the ASA, use the lacp system-priority command in global configuration mode. To set the value to the default, use the no form of this command.

lacp system-priority number

no lacp system-priority

 
Syntax Description

number

Sets the LACP system priority, from 1 to 65535. The default is 32768. The higher the number, the lower the priority. This command is global for the ASA.

 
Command Default

The default is 32768.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

8.4(1)

We introduced this command.

 
Usage Guidelines

If the device at the other end of the EtherChannel has conflicting port priorities, the system priority is used to determine which port priorities to use. For interface priorities within an EtherChannel, see the lacp port-priority command.

Examples

The following example sets the system priority to be higher than the default (a lower number):

ciscoasa(config)# lacp system-priority 12345

 

 
Related Commands

Command
Description

channel-group

Adds an interface to an EtherChannel.

interface port-channel

Configures an EtherChannel.

lacp max-bundle

Specifies the maximum number of active interfaces allowed in the channel group.

lacp port-priority

Sets the priority for a physical interface in the channel group.

port-channel load-balance

Configures the load-balancing algorithm.

port-channel min-bundle

Specifies the minimum number of active interfaces required for the port-channel interface to become active.

show lacp

Displays LACP information such as traffic statistics, system identifier and neighbor details.

show port-channel

Displays EtherChannel information in a detailed and one-line summary form. This command also displays the port and port-channel information.

show port-channel load-balance

Displays port-channel load-balance information along with the hash result and member interface selected for a given set of parameters.

ldap attribute-map

To create and name an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names, use the ldap attribute-map command in global configuration mode. To remove the map, use the no form of this command.

ldap attribute-map map-name

no ldap attribute-map map-name

 
Syntax Description

 
Syntax DescriptionSyntax Description

map-name

Specifies a user-defined name for an LDAP attribute map.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

With the ldap attribute-map command, you can map your own attribute names and values to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would be as follows:

1. Use the ldap attribute-map command in global configuration mode to create an unpopulated attribute map. This commands enters ldap-attribute-map configuration mode.

2. Use the map-name and map-value commands in ldap-attribute-map configuration mode to populate the attribute map.

3. Use the ldap-attribute-map command in aaa-server host mode to bind the attribute map to an LDAP server. Note the hyphen after ldap in this command.


Note To use the attribute mapping features correctly, you need to understand both the Cisco LDAP attribute names and values as well as the user-defined attribute names and values.


Examples

The following example command, entered in global configuration mode, creates an LDAP attribute map named myldapmap prior to populating it or binding it to an LDAP server:

ciscoasa(config)# ldap attribute-map myldapmap
ciscoasa(config-ldap-attribute-map)#

 
Related Commands

Command
Description

ldap-attribute-map (aaa-server host mode)

Binds an LDAP attribute map to an LDAP server.

map-name

Maps a user-defined LDAP attribute name to a Cisco LDAP attribute name.

map-value

Maps a user-defined attribute value to the Cisco attribute name.

show running-config ldap attribute-map

Displays a specific running LDAP attribute map or all running attribute maps.

clear configure ldap attribute-map

Removes all LDAP attribute maps.

ldap-attribute-map

To bind an existing mapping configuration to an LDAP host, use the ldap-attribute-map command in aaa-server host configuration mode. To remove the binding, use the no form of this command.

ldap-attribute-map map-name

no ldap-attribute-map map-name

 
Syntax Description

 
Syntax DescriptionSyntax Description

map-name

Specifies an LDAP attribute mapping configuration.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

If the Cisco-defined LDAP attribute names do not meet your ease-of-use or other requirements, you can create your own attribute names, map them to Cisco attributes, and then bind the resulting attribute configuration to an LDAP server. Your typical steps would include:

1. Use the ldap attribute-map command in global configuration mode to create an unpopulated attribute map. This command enters ldap-attribute-map configuration mode. Note that there is no hyphen after “ldap” in this command.

2. Use the map-name and map-value commands in ldap-attribute-map configuration mode to populate the attribute mapping configuration.

3. Use the ldap-attribute-map command in aaa-server host mode to bind the attribute map configuration to an LDAP server.

Examples

The following example commands, entered in aaa-server host configuration mode, bind an existing attribute map named myldapmap to an LDAP server named ldapsvr1:

ciscoasa(config)# aaa-server ldapsvr1 host 10.10.0.1
ciscoasa(config-aaa-server-host)# ldap-attribute-map myldapmap
ciscoasa(config-aaa-server-host)#

 
Related Commands

Command
Description

ldap attribute-map (global configuration mode)

Creates and names an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names.

map-name

Maps a user-defined LDAP attribute name with a Cisco LDAP attribute name.

map-value

Maps a user-defined attribute value to a Cisco attribute.

show running-config ldap attribute-map

Displays a specific running ldap attribute mapping configuration or all running attribute mapping configurations.

clear configure ldap attribute-map

Removes all LDAP attribute maps.

ldap-base-dn

To specify the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request, use the ldap-base-dn command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, thus resetting the search to start at the top of the list, use the no form of this command.

ldap-base-dn string

no ldap-base-dn

 
Syntax Description

string

A case-sensitive string of up to 128 characters that specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request; for example, OU=Cisco. Spaces are not permitted in the string, but other special characters are allowed.

 
Defaults

Start the search at the top of the list.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command is valid only for LDAP servers.

Examples

The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP base DN as starthere.

ciscoasa(config)# aaa-server svrgrp1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry 7
ciscoasa(config-aaa-server-host)# ldap-base-dn starthere
ciscoasa(config-aaa-server-host)# exit
 

 
Related Commands

Command
Description

aaa-server host

Enters AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

ldap-scope

Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.

ldap-naming-attribute

Specifies the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server.

ldap-login-dn

Specifies the name of the directory object that the system should bind as.

ldap-login-password

Specifies the password for the login DN.

ldap-defaults

To define LDAP default values, use the ldap-defaults command in crl configure configuration mode. Crl configure configuration mode is accessible from crypto ca trustpoint configuration mode. These default values are used only when the LDAP server requires them. To specify no LDAP defaults, use the no form of this command.

ldap-defaults server [ port ]

no ldap-defaults

 
Syntax Description

port

(Optional) Specifies the LDAP server port. If this parameter is not specified, the ASA uses the standard LDAP port (389).

server

Specifies the IP address or domain name of the LDAP server. If one exists within the CRL distribution point, it overrides this value.

 
Defaults

The default setting is not set.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crl configure configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following example defines LDAP default values on the default port (389):

ciscoasa(config)# crypto ca trustpoint central
ciscoasa(ca-trustpoint)# crl configure
ciscoasa(ca-crl)# ldap-defaults ldapdomain4 8389
 

 
Related Commands

Command
Description

crl configure

Enters ca-crl configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.

protocol ldap

Specifies LDAP as a retrieval method for CRLs

ldap-dn

To pass a X.500 distinguished name and password to an LDAP server that requires authentication for CRL retrieval, use the ldap-dn command in crl configure configuration mode. Crl configure configuration mode is accessible from crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them. To specify no LDAP DN, use the no form of this command.

ldap-dn x.500-name password

no ldap-dn

 
Syntax Description

password

Defines a password for this distinguished name. The maximum field length is 128 characters.

x.500-name

Defines the directory path to access this CRL database, for example: cn=crl,ou=certs,o=CAName,c=US. The maximum field length is 128 characters.

 
Defaults

The default setting is not on.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crl configure configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

Examples

The following example specifies an X.500 name CN=admin,OU=devtest,O=engineering and a password xxzzyy for trustpoint central:

ciscoasa(config)# crypto ca trustpoint central
ciscoasa(ca-trustpoint)# crl configure
ciscoasa(ca-crl)# ldap-dn cn=admin,ou=devtest,o=engineering xxzzyy
 

 
Related Commands

Command
Description

crl configure

Enters crl configure configuration mode.

crypto ca trustpoint

Enters ca trustpoint configuration mode.

protocol ldap

Specifies LDAP as a retrieval method for CRLs.

ldap-group-base-dn

To specify the base group in the Active Directory hierarchy used by dynamic access policies for group searches, use the ldap-group-base-dn command in aaa-server host configuration mode. To remove the command from the running configuration, use the no form of the command:

ldap-group-base-dn [ string ]

no ldap-group-base-dn [ string ]

 
Syntax Description

string

A case-sensitive string of up to 128 characters that specifies the location in the Active Directory hierarchy where the server should begin searching. For example, ou=Employees. Spaces are not permitted in the string, but other special characters are allowed.

 
Defaults

No default behavior or values. If you do not specify a group search DN, the search begins at the base DN.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

aaa-server host configuration mode

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(4)

This command was introduced.

 
Usage Guidelines

The ldap-group-base-dn command applies only to Active Directory servers using LDAP, and specifies an Active Directory heirarchy level that the show ad-groups command uses to begin its group search. The groups retrieved from the search are used by dynamic group policies as selection criteria for a specific policy.

Examples

The following example sets the group base DN to begin the search at the organization unit (ou) level Employees:

ciscoasa(config-aaa-server-host)# ldap-group-base-dn ou=Employees

 
Related Commands

Command
Description

group-search-timeout

Adjusts the time the ASA waits for a response from an Active Directory server for a list of groups.

show ad-groups

Displays groups that are listed on an Active Directory server.

ldap-login-dn

To specify the name of the directory object that the system should bind this as, use the ldap-login-dn command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command.

ldap-login-dn string

no ldap-login-dn

 
Syntax Description

string

A case-sensitive string of up to 128 characters that specifies the name of the directory object in the LDAP hierarchy. Spaces are not permitted in the string, but other special characters are allowed.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command is valid only for LDAP servers. The maximum supported string length is 128 characters.

Some LDAP servers, including the Microsoft Active Directory server, require that the ASAestablish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The ASA identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field describes the authentication characteristics of the ASA. These characteristics should correspond to those of a user with administrator privileges.

For the string variable, enter the name of the directory object for VPN Concentrator authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com. For anonymous access, leave this field blank.

Examples

The following example configures an LDAP AAA server named svrgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP login DN as myobjectname.

ciscoasa(config)# aaa-server svrgrp1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry 7
ciscoasa(config-aaa-server-host)# ldap-login-dn myobjectname
ciscoasa(config-aaa-server-host)#
 

 
Related Commands

Command
Description

aaa-server host

Enters AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

ldap-base-dn

Specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.

ldap-login-password

Specifies the password for the login DN. This command is valid only for LDAP servers.

ldap-naming-attribute

Specifies the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server.

ldap-scope

Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.

ldap-login-password

To specify the login password for the LDAP server, use the ldap-login-password command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this password specification, use the no form of this command:

ldap-login-password string

no ldap-login-password

 
Syntax Description

string

A case-sensitive, alphanumeric password, up to 64 characters long. The password cannot contain space characters.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command is valid only for LDAP servers. The maximum password string length is 64 characters.

Examples

The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP login password as obscurepassword.

ciscoasa(config)# aaa-server svrgrp1 protocol ldap
ciscoasa(config)# aaa-server svrgrp1 host 1.2.3.4
ciscoasa(config-aaa-server)# timeout 9
ciscoasa(config-aaa-server)# retry 7
ciscoasa(config-aaa-server)# ldap-login-password obscurepassword
ciscoasa(config-aaa-server)#
 

 
Related Commands

Command
Description

aaa-server host

Enters AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

ldap-base-dn

Specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.

ldap-login-dn

Specifies the name of the directory object that the system should bind as.

ldap-naming-attribute

Specifies the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server.

ldap-scope

Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.

ldap-naming-attribute

To specify the Relative Distinguished Name attribute, use the ldap-naming-attribute command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command:

ldap-naming-attribute string

no ldap-naming-attribute

 
Syntax Description

string

The case-sensitive, alphanumeric Relative Distinguished Name attribute, consisting of up to 128 characters, that uniquely identifies an entry on the LDAP server. Spaces are not permitted in the string, but other special characters are allowed.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Enter the Relative Distinguished Name attribute that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).

This command is valid only for LDAP servers. The maximum supported string length is 128 characters.

Examples

The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP naming attribute as cn.

ciscoasa(config)# aaa-server svrgrp1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry 7
ciscoasa(config-aaa-server-host)# ldap-naming-attribute cn
ciscoasa(config-aaa-server-host)#
 

 
Related Commands

Command
Description

aaa-server host

Enters AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

ldap-base-dn

Specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.

ldap-login-dn

Specifies the name of the directory object that the system should bind as.

ldap-login-password

Specifies the password for the login DN. This command is valid only for LDAP servers.

ldap-scope

Specifies the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.

ldap-over-ssl

To establish a secure SSL connection between the ASA and the LDAP server, use the ldap-over-ssl command in aaa-server host configuration mode. To disable SSL for the connection, use the no form of this command.

ldap-over-ssl enable

no ldap-over-ssl enable

 
Syntax Description

 
Syntax DescriptionSyntax Description

enable

Specifies that SSL secures a connection to an LDAP server.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

Use this command to specify that SSL secures a connection between the ASA and an LDAP server.


Note We recommend enabling this feature if you are using plain text authentication. See the sasl-mechanism command.


Examples

The following commands, entered in aaa-server host configuration mode, enable SSL for a connection between the ASA and the LDAP server named ldapsvr1 at IP address 10.10.0.1. They also configure the plain SASL authentication mechanism.

ciscoasa(config)# aaa-server ldapsvr1 protocol ldap
ciscoasa(config-aaa-server-host)# aaa-server ldapsvr1 host 10.10.0.1
ciscoasa(config-aaa-server-host)# ldap-over-ssl enable
ciscoasa(config-aaa-server-host)#

 
Related Commands

Command
Description

sasl-mechanism

Specifies SASL authentication between the LDAP client and server.

server-type

Specifies the LDAP server vendor as either Microsoft or Sun.

ldap attribute-map (global configuration mode)

Creates and names an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names.

ldap-scope

To specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request, use the ldap-scope command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command.

ldap-scope scope

no ldap-scope

 
Syntax Description

scope

The number of levels in the LDAP hierarchy for the server to search when it receives an authorization request. Valid values are:

  • onelevel —Search only one level beneath the Base DN
  • subtree —Search all levels beneath the Base DN

 
Defaults

The default value is onelevel.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Specifying the scope as onelevel results in a faster search, because only one level beneath the Base DN is searched. Specifying subtree is slower, because all levels beneath the Base DN are searched.

This command is valid only for LDAP servers.

Examples

The following example configures an LDAP AAA server named svrgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP scope to include the subtree levels.

ciscoasa(config)# aaa-server svrgrp1 protocol ldap
ciscoasa(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry 7
ciscoasa(config-aaa-server-host)# ldap-scope subtree
ciscoasa(config-aaa-server-host)#
 

 
Related Commands

Command
Description

aaa-server host

Enters AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

ldap-base-dn

Specifies the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request.

ldap-login-dn

Specifies the name of the directory object that the system should bind as.

ldap-login-password

Specifies the password for the login DN. This command is valid only for LDAP servers.

ldap-naming-attribute

Specifies the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server.

leap-bypass

To enable LEAP Bypass, use the leap-bypass enable command in group-policy configuration mode. To disable LEAP Bypass, use the leap-bypass disable command. To remove the LEAP Bypass attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for LEAP Bypass from another group policy.

leap-bypass { enable | disable }

no leap-bypass

 
Syntax Description

disable

Disables LEAP Bypass.

enable

Enables LEAP Bypass.

 
Defaults

LEAP Bypass is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

When enabled, LEAP Bypass allows LEAP packets from wireless devices behind a VPN hardware client to travel across a VPN tunnel prior to user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Devices are then able to authenticate again, per user authentication.

This feature does not work as intended if you enable interactive hardware client authentication.

For further information, see the CLI configuration guide.


Note There may be security risks in allowing any unauthenticated traffic to traverse the tunnel.


Examples

The following example shows how to set LEAP Bypass for the group policy named FirstGroup”:

ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# leap-bypass enable

 
Related Commands

Command
Description

secure-unit-authentication

Requires VPN hardware clients to authenticate with a username and password each time the client initiates a tunnel.

user-authentication

Requires users behind VPN hardware clients to identify themselves to the ASA before connecting.

license

To configure the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes, use the license command in scansafe general-options configuration mode. To remove the license, use the no form of this command.

license hex_key

no license [ hex_key ]

 
Syntax Description

hex_key

Specifies the authentication key as a 16-byte hexidecimal number.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

Each ASA must use an authentication key that you obtain from Cloud Web Security. The authentication key lets Cloud Web Security identify the company associated with web requests and ensures that the ASA is associated with valid customer.

You can use one of two types of authentication keys for your ASA: the company key or the group key.

Company Authentication Key

A Company authentication key can be used on multiple ASAs within the same company. This key simply enables the Cloud Web Security service for your ASAs. The administrator generates this key in ScanCenter ( https://scancenter.scansafe.com/portal/admin/login.jsp); you have the opportunity to e-mail the key for later use. You cannot look up this key later in ScanCenter; only the last 4 digits are shown in ScanCenter. For more information, see the Cloud Web Security documentation: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.html.

Group Authentication Key

A Group authentication key is a special key unique to each ASA that performs two functions:

  • Enables the Cloud Web Security service for one ASA.
  • Identifies all traffic from the ASA so you can create ScanCenter policy per ASA.

The administrator generates this key in ScanCenter ( https://scancenter.scansafe.com/portal/admin/login.jsp); you have the opportunity to e-mail the key for later use. You cannot look up this key later in ScanCenter; only the last 4 digits are shown in ScanCenter. For more information, see the Cloud Web Security documentation: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.html.

Examples

The following example configures a primary server only:

scansafe general-options
server primary ip 180.24.0.62 port 8080
retry-count 5
license 366C1D3F5CE67D33D3E9ACEC265261E5
 

 
Related Commands

Command
Description

class-map type inspect scansafe

Creates an inspection class map for whitelisted users and groups.

default user group

Specifies the default username and/or group if the ASA cannot determine the identity of the user coming into the ASA.

http [ s ] (parameters)

Specifies the service type for the inspection policy map, either HTTP or HTTPS.

inspect scansafe

Enables Cloud Web Security inspection on the traffic in a class.

match user group

Matches a user or group for a whitelist.

policy-map type inspect scansafe

Creates an inspection policy map so you can configure essential parameters for the rule and also optionally identify the whitelist.

retry-count

Enters the retry counter value, which is the amount of time that the ASA waits before polling the Cloud Web Security proxy server to check its availability.

scansafe

In multiple context mode, allows Cloud Web Security per context.

scansafe general-options

Configures general Cloud Web Security server options.

server { primary | backup }

Configures the fully qualified domain name or IP address of the primary or backup Cloud Web Security proxy servers.

show conn scansafe

Shows all Cloud Web Security connections, as noted by the capitol Z flag.

show scansafe server

Shows the status of the server, whether it’s the current active server, the backup server, or unreachable.

show scansafe statistics

Shows total and current http connections.

user-identity monitor

Downloads the specified user or group information from the AD agent.

whitelist

Performs the whitelist action on the class of traffic.

license-server address

To identify the shared licensing server IP address and shared secret for use by a participant, use the license-server address command in global configuration mode. To disable participation in shared licensing, use the no form of this command. A shared license lets you purchase a large number of SSL VPN sessions and share the sessions as needed amongst a group of ASAs by configuring one of the ASAs as a shared licensing server, and the rest as shared licensing participants.

license-server address address secret secret [ port port ]

no license-server address [ address secret secret [ port port ]]

 
Syntax Description

address

Identifies the shared licensing server IP address.

port port

(Optional) If you changed the default port in the server configuration using the license-server port command, set the port for the backup server to match, between 1 and 65535. The default port is 50554.

secret secret

Identifies the shared secret. The secret muct match the secret set on the server using the license-server secret command.

 
Command Default

The default port is 50554.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The shared licensing participant must have a shared licensing participant key. Use the show activation-key command to check your installed licenses.

You can only specify one shared license server for each participant.

The following steps describe how shared licenses operate:

1. Decide which ASA should be the shared licensing server, and purchase the shared licensing server license using that device serial number.

2. Decide which ASAs should be shared licensing participants, including the shared licensing backup server, and obtain a shared licensing participant license for each device, using each device serial number.

3. (Optional) Designate a second ASA as a shared licensing backup server. You can only specify one backup server.


Note The shared licensing backup server only needs a participant license.


4. Configure a shared secret on the shared licensing server; any participants with the shared secret can use the shared license.

5. When you configure the ASA as a participant, it registers with the shared licensing server by sending information about itself, including the local license and model information.


Note The participant needs to be able to communicate with the server over the IP network; it does not have to be on the same subnet.


6. The shared licensing server responds with information about how often the participant should poll the server.

7. When a participant uses up the sessions of the local license, it sends a request to the shared licensing server for additional sessions in 50-session increments.

8. The shared licensing server responds with a shared license. The total sessions used by a participant cannot exceed the maximum sessions for the platform model.


Note The shared licensing server can also participate in the shared license pool if it runs out of local sessions. It does not need a participant license as well as the server license to participate.


a. If there are not enough sessions left in the shared license pool for the participant, then the server responds with as many sessions as available.

b. The participant continues to send refresh messages requesting more sessions until the server can adequately fulfill the request.

9. When the load is reduced on a participant, it sends a message to the server to release the shared sessions.


Note The ASA uses SSL between the server and participant to encrypt all communications.


Communication Issues Between Participant and Server

See the following guidelines for communication issues between the participant and server:

  • If a participant fails to send a refresh after 3 times the refresh interval, then the server releases the sessions back into the shared license pool.
  • If the participant cannot reach the license server to send the refresh, then the participant can continue to use the shared license it received from the server for up to 24 hours.
  • If the participant is still not able to communicate with a license server after 24 hours, then the participant releases the shared license, even if it still needs the sessions. The participant leaves existing connections established, but cannot accept new connections beyond the license limit.
  • If a participant reconnects with the server before 24 hours expires, but after the server expired the participant sessions, then the participant needs to send a new request for the sessions; the server responds with as many sessions as can be reassigned to that participant.

Examples

The following example sets the license server IP address and shared secret, as well as the backup license server IP address:

ciscoasa(config)# license-server address 10.1.1.1 secret farscape

ciscoasa(config)# license-server backup address 10.1.1.2

 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license-server backup address

To identify the shared licensing backup server IP address for use by a participant, use the license-server backup address command in global configuration mode. To disable use of the backup server, use the no form of this command.

license-server backup address address

no license-server address [ address ]

 
Syntax Description

address

Identifies the shared licensing backup server IP address.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The shared licensing backup server must have the license-server backup enable command configured.

Examples

The following example sets the license server IP address and shared secret, as well as the backup license server IP address:

ciscoasa(config)# license-server address 10.1.1.1 secret farscape

ciscoasa(config)# license-server backup address 10.1.1.2

 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license-server backup backup-id

To identify the shared licensing backup server in the main shared licensing server configuration, use the license-server backup backup-id command in global configuration mode. To remove the backup server configuration, use the no form of this command.

license-server backup address backup-id serial_number [ ha-backup-id ha_serial_number ]

no license-server backup address [ backup-id serial_number [ ha-backup-id ha_serial_number ]]

 
Syntax Description

address

Identifies the shared licensing backup server IP address.

backup-id serial_number

Identifies the shared licensing backup server serial number.

ha-backup-id ha_serial_number

If you use failover for the backup server, identifies the secondary shared licensing backup server serial number.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

You can only identify 1 backup server and its optional standby unit.

To view the backup server serial number, enter the show activation-key command.

To enable a participant to be the backup server, use the license-server backup enable command.

The shared licensing backup server must register successfully with the main shared licensing server before it can take on the backup role. When it registers, the main shared licensing server syncs server settings as well as the shared license information with the backup, including a list of registered participants and the current license usage. The main server and backup server sync the data at 10 second intervals. After the initial sync, the backup server can successfully perform backup duties, even after a reload.

When the main server goes down, the backup server takes over server operation. The backup server can operate for up to 30 continuous days, after which the backup server stops issuing sessions to participants, and existing sessions time out. Be sure to reinstate the main server within that 30-day period. Critical-level syslog messages are sent at 15 days, and again at 30 days.

When the main server comes back up, it syncs with the backup server, and then takes over server operation.

When the backup server is not active, it acts as a regular participant of the main shared licensing server.


Note When you first launch the main shared licensing server, the backup server can only operate independently for 5 days. The operational limit increases day-by-day, until 30 days is reached. Also, if the main server later goes down for any length of time, the backup server operational limit decrements day-by-day. When the main server comes back up, the backup server starts to increment again day-by-day. For example, if the main server is down for 20 days, with the backup server active during that time, then the backup server will only have a 10-day limit left over. The backup server “recharges” up to the maximum 30 days after 20 more days as an inactive backup. This recharging function is implemented to discourage misuse of the shared license.


Examples

The following example sets the shared secret, changes the refresh interval and port, configures a backup server, and enables this unit as the shared licensing server on the inside interface and dmz interface:

ciscoasa(config)# license-server secret farscape

ciscoasa(config)# license-server refresh-interval 100
ciscoasa(config)# license-server port 40000
ciscoasa(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id JMX1378N0W3
ciscoasa(config)# license-server enable inside
ciscoasa(config)# license-server enable dmz
 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license-server backup enable

To enable this unit to be the shared licensing backup server, use the license-server backup enable command in global configuration mode. To disable the backup server, use the no form of this command.

license-server backup enable interface_name

no license-server enable interface_name

 
Syntax Description

interface_name

Specifies the interface on which participants contact the backup server. You can repeat this command for as many interfaces as desired.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The backup server must have a shared licensing participant key.

The shared licensing backup server must register successfully with the main shared licensing server before it can take on the backup role. When it registers, the main shared licensing server syncs server settings as well as the shared license information with the backup, including a list of registered participants and the current license usage. The main server and backup server sync the data at 10 second intervals. After the initial sync, the backup server can successfully perform backup duties, even after a reload.

When the main server goes down, the backup server takes over server operation. The backup server can operate for up to 30 continuous days, after which the backup server stops issuing sessions to participants, and existing sessions time out. Be sure to reinstate the main server within that 30-day period. Critical-level syslog messages are sent at 15 days, and again at 30 days.

When the main server comes back up, it syncs with the backup server, and then takes over server operation.

When the backup server is not active, it acts as a regular participant of the main shared licensing server.


Note When you first launch the main shared licensing server, the backup server can only operate independently for 5 days. The operational limit increases day-by-day, until 30 days is reached. Also, if the main server later goes down for any length of time, the backup server operational limit decrements day-by-day. When the main server comes back up, the backup server starts to increment again day-by-day. For example, if the main server is down for 20 days, with the backup server active during that time, then the backup server will only have a 10-day limit left over. The backup server “recharges” up to the maximum 30 days after 20 more days as an inactive backup. This recharging function is implemented to discourage misuse of the shared license.


Examples

The following example identifies the license server and shared secret, and enables this unit as the backup shared license server on the inside interface and dmz interface.

ciscoasa(config)# license-server address 10.1.1.1 secret farscape

ciscoasa(config)# license-server backup enable inside
ciscoasa(config)# license-server backup enable dmz
 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license-server enable

To identify this unit as a shared licensing server, use the license-server enable command in global configuration mode. To disable the shared licensing server, use the no form of this command. A shared license lets you purchase a large number of SSL VPN sessions and share the sessions as needed amongst a group of ASAs by configuring one of the ASAs as a shared licensing server, and the rest as shared licensing participants.

license-server enable interface_name

no license-server enable interface_name

 
Syntax Description

interface_name

Specifies the interface on which participants contact the server. You can repeat this command for as many interfaces as desired.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

The shared licensing server must have a shared licensing server key. Use the show activation-key command to check your installed licenses.

The following steps describe how shared licenses operate:

1. Decide which ASA should be the shared licensing server, and purchase the shared licensing server license using that device serial number.

2. Decide which ASAs should be shared licensing participants, including the shared licensing backup server, and obtain a shared licensing participant license for each device, using each device serial number.

3. (Optional) Designate a second ASA as a shared licensing backup server. You can only specify one backup server.


Note The shared licensing backup server only needs a participant license.


4. Configure a shared secret on the shared licensing server; any participants with the shared secret can use the shared license.

5. When you configure the ASA as a participant, it registers with the shared licensing server by sending information about itself, including the local license and model information.


Note The participant needs to be able to communicate with the server over the IP network; it does not have to be on the same subnet.


6. The shared licensing server responds with information about how often the participant should poll the server.

7. When a participant uses up the sessions of the local license, it sends a request to the shared licensing server for additional sessions in 50-session increments.

8. The shared licensing server responds with a shared license. The total sessions used by a participant cannot exceed the maximum sessions for the platform model.


Note The shared licensing server can also participate in the shared license pool if it runs out of local sessions. It does not need a participant license as well as the server license to participate.


a. If there are not enough sessions left in the shared license pool for the participant, then the server responds with as many sessions as available.

b. The participant continues to send refresh messages requesting more sessions until the server can adequately fulfill the request.

9. When the load is reduced on a participant, it sends a message to the server to release the shared sessions.


Note The ASA uses SSL between the server and participant to encrypt all communications.


Communication Issues Between Participant and Server

See the following guidelines for communication issues between the participant and server:

  • If a participant fails to send a refresh after 3 times the refresh interval, then the server releases the sessions back into the shared license pool.
  • If the participant cannot reach the license server to send the refresh, then the participant can continue to use the shared license it received from the server for up to 24 hours.
  • If the participant is still not able to communicate with a license server after 24 hours, then the participant releases the shared license, even if it still needs the sessions. The participant leaves existing connections established, but cannot accept new connections beyond the license limit.
  • If a participant reconnects with the server before 24 hours expires, but after the server expired the participant sessions, then the participant needs to send a new request for the sessions; the server responds with as many sessions as can be reassigned to that participant.

Examples

The following example sets the shared secret, changes the refresh interval and port, configures a backup server, and enables this unit as the shared licensing server on the inside interface and DMZ interface:

ciscoasa(config)# license-server secret farscape

ciscoasa(config)# license-server refresh-interval 100
ciscoasa(config)# license-server port 40000
ciscoasa(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id JMX1378N0W3
ciscoasa(config)# license-server enable inside
ciscoasa(config)# license-server enable dmz
 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license-server port

To set the port on which the shared licensing server listens for SSL connections from participants, use the license-server port command in global configuration mode. To restore the default port, use the no form of this command.

license-server port port

no license-server port [ port ]

 
Syntax Description

seconds

Sets the port on which the server listens for SSL connections from participants, between 1 and 65535. The default is TCP port 50554.

 
Command Default

The default port is 50554.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

If you change the port from the default, be sure to set the same port for each participant using the license-server address command.

Examples

The following example sets the shared secret, changes the refresh interval and port, configures a backup server, and enables this unit as the shared licensing server on the inside interface and DMZ interface:

ciscoasa(config)# license-server secret farscape

ciscoasa(config)# license-server refresh-interval 100
ciscoasa(config)# license-server port 40000
ciscoasa(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id JMX1378N0W3
ciscoasa(config)# license-server enable inside
ciscoasa(config)# license-server enable dmz
 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license-server refresh-interval

To set the refresh interval provided to participants to set how often they should communicate with the shared licensing server, use the license-server refresh-interval command in global configuration mode. To restore the default refresh interval, use the no form of this command.

license-server refresh-interval seconds

no license-server refresh-interval [ seconds ]

 
Syntax Description

seconds

Sets the refresh interval between 10 and 300 seconds. The default is 30 seconds.

 
Command Default

The default is 30 seconds.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

Each participant regularly communicates with the shared licensing server using SSL so the shared licensing server can keep track of current license usage and receive and respond to license requests.

Examples

The following example sets the shared secret, changes the refresh interval and port, configures a backup server, and enables this unit as the shared licensing server on the inside interface and dmz interface:

ciscoasa(config)# license-server secret farscape

ciscoasa(config)# license-server refresh-interval 100
ciscoasa(config)# license-server port 40000
ciscoasa(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id JMX1378N0W3
ciscoasa(config)# license-server enable inside
ciscoasa(config)# license-server enable dmz
 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server secret

Sets the shared secret on the shared licensing server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license-server secret

To set the shared secret on the shared licensing server, use the license-server secret command in global configuration mode. To remove the secret, use the no form of this command.

license-server secret secret

no license-server secret secret

 
Syntax Description

secret

Sets the shared secret, a string between 4 and 128 ASCII characters.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(1)

This command was introduced.

 
Usage Guidelines

Any participant with this secret identified in the license-server address command can use the licensing server.

Examples

The following example sets the shared secret, changes the refresh interval and port, configures a backup server, and enables this unit as the shared licensing server on the inside interface and dmz interface:

ciscoasa(config)# license-server secret farscape

ciscoasa(config)# license-server refresh-interval 100
ciscoasa(config)# license-server port 40000
ciscoasa(config)# license-server backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id JMX1378N0W3
ciscoasa(config)# license-server enable inside
ciscoasa(config)# license-server enable dmz
 

 
Related Commands

Command
Description

activation-key

Enters a license activation key.

clear configure license-server

Clears the shared licensing server configuration.

clear shared license

Clears shared license statistics.

license-server address

Identifies the shared licensing server IP address and shared secret for a participant.

license-server backup address

Identifies the shared licensing backup server for a participant.

license-server backup backup-id

Identifies the backup server IP address and serial number for the main shared licensing server.

license-server backup enable

Enables a unit to be the shared licensing backup server.

license-server enable

Enables a unit to be the shared licensing server.

license-server port

Sets the port on which the server listens for SSL connections from participants.

license-server refresh-interval

Sets the refresh interval provided to participants to set how often they should communicate with the server.

show activation-key

Shows the current licenses installed.

show running-config license-server

Shows the shared licensing server configuration.

show shared license

Shows shared license statistics.

show vpn-sessiondb

Shows license information about VPN sessions.

license smart

To set the smart licensing entitlement request, use the license smart command in global configuration mode. To remove the entitlement and unlicense your device, use the no form of this command.


Note This feature is supported on the ASAv only.


license smart

no license smart

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.3(2)

We introduced this command.

 
Usage Guidelines

This command enters license smart configuration mode, where you can set the feature tier and other license entitlements. When you request the entitlements for the first time, you must exit license smart configuration mode for your changes to take effect.

Examples

The following example sets the feature tier to standard, and the throughput level to 2G:

ciscoasa# license smart
ciscoasa(config-smart-lic)# feature tier standard
ciscoasa(config-smart-lic)# throughput level 2G
ciscoasa(config-smart-lic)# exit
ciscoasa(config)#
 

 
Related Commands

Command
Description

call-home

Configures Smart Call Home. Smart licensing uses Smart Call Home infrastructure.

clear configure license

Clears the smart licensing configuration.

feature tier

Sets the feature tier for smart licensing.

http-proxy

Sets the HTTP(S) proxy for smart licensing and Smart Call Home.

license smart deregister

Deregisters a device from the License Authority.

license smart register

Registers a device with the License Authority.

license smart renew

Renews the registration or the license entitlement.

service call-home

Enables Smart Call Home.

show license

Shows the smart licensing status.

show running-config license

Shows the smart licensing configuration.

throughput level

Sets the throughput level for smart licensing.

license smart deregister

To deregister the device from the Cisco License Authority for smart licensing, use the license smart deregister command in privileged EXEC mode.


Note This feature is supported on the ASAv only.


license smart deregiste r

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.3(2)

We introduced this command.

 
Usage Guidelines

Deregistering the ASAv removes the ASAv from your account. All license entitlements and certificates on the ASAv are removed. You might want to deregister to free up a license for a new ASAv.

Examples

The following example deregisters the device:

ciscoasa# license smart deregister
 

 
Related Commands

Command
Description

call-home

Configures Smart Call Home. Smart licensing uses Smart Call Home infrastructure.

clear configure license

Clears the smart licensing configuration.

feature tier

Sets the feature tier for smart licensing.

http-proxy

Sets the HTTP(S) proxy for smart licensing and Smart Call Home.

license smart

Lets you request license entitlements for smart licensing.

license smart register

Registers a device with the License Authority.

license smart renew

Renews the registration or the license entitlement.

service call-home

Enables Smart Call Home.

show license

Shows the smart licensing status.

show running-config license

Shows the smart licensing configuration.

throughput level

Sets the throughput level for smart licensing.

license smart register

To register the device with the Cisco License Authority for smart licensing, use the license smart register command in privileged EXEC mode.


Note This feature is supported on the ASAv only.


license smart registe r idtoken id_token [ force ]

 
Syntax Description

idtoken id_token

In the Smart Software Manager, request and copy a registration token for the virtual account to which you want to add this ASAv.

force

Registers an ASAv that is already registered, but that might be out of sync with the License Authority.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.3(2)

We introduced this command.

 
Usage Guidelines

When you register the ASAv, the License Authority issues an ID certificate for communication between the ASAv and the License Authority. It also assigns the ASAv to the appropriate virtual account. Normally, this procedure is a one-time instance. However, you might need to later re-register the ASAv if the ID certificate expires because of a communication problem, for example.

Examples

The following example registers with an registration token:

ciscoasa# license smart register idtoken YjE3Njc5MzYtMGQzMi00OTA4LWJhODItNzBhMGQ5NGRlYjUxLTE0MTQ5NDAy%0AODQzNzl8NXk2bzV3SDE0ZkgwQkdYRmZ1NTNCNGlvRnBHUFpjcm02WTB4TU4w%0Ac2NnMD0%3D%0A
 

 
Related Commands

Command
Description

call-home

Configures Smart Call Home. Smart licensing uses Smart Call Home infrastructure.

clear configure license

Clears the smart licensing configuration.

feature tier

Sets the feature tier for smart licensing.

http-proxy

Sets the HTTP(S) proxy for smart licensing and Smart Call Home.

license smart

Lets you request license entitlements for smart licensing.

license smart deregister

Deregisters a device from the License Authority.

license smart renew

Renews the registration or the license entitlement.

service call-home

Enables Smart Call Home.

show license

Shows the smart licensing status.

show running-config license

Shows the smart licensing configuration.

throughput level

Sets the throughput level for smart licensing.

license smart renew

To renew the registration or license entitlement authorization for smart licensing, use the license smart renew command in privileged EXEC mode.


Note This feature is supported on the ASAv only.


license smart renew {id | auth}

 
Syntax Description

id

Renews the device registration.

auth

Renews the license entitlement.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.3(2)

We introduced this command.

 
Usage Guidelines

By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed every 30 days. You might want to manually renew the registration for either of these items if you have a limited window for Internet access, or if you make any licensing changes in the Smart Software Manager, for example.

Examples

The following example renews both the registration and license authorization:

ciscoasa# license smart renew id
ciscoasa# license smart renew auth
 

 
Related Commands

Command
Description

call-home

Configures Smart Call Home. Smart licensing uses Smart Call Home infrastructure.

clear configure license

Clears the smart licensing configuration.

feature tier

Sets the feature tier for smart licensing.

http-proxy

Sets the HTTP(S) proxy for smart licensing and Smart Call Home.

license smart

Lets you request license entitlements for smart licensing.

license smart deregister

Deregisters a device from the License Authority.

license smart register

Registers a device with the License Authority.

service call-home

Enables Smart Call Home.

show license

Shows the smart licensing status.

show running-config license

Shows the smart licensing configuration.

throughput level

Sets the throughput level for smart licensing.

lifetime (ca server mode)

To specify the length of time that the Local Certificate Authority (CA) certificate, each issued user certificates, or the Certificate Revocation List (CRL) is valid, use the lifetime command in ca server configuration mode. To reset the lifetime to the default setting, use the no form of this command.

lifetime { ca-certificate | certificate | crl} time

no lifetime {ca-certificate | certificate | crl}

 
Syntax Description

ca-certificate

Specifies the lifetime of the local CA server certificate.

certificate

Specifies the lifetime of all user certificates issued by the CA server.

crl

Specifies the lifetime of the CRL.

time

For the CA certificate and all issued certificates, time specifies the number of days the certificate is valid. The valid range is from 1 to 3650 days.

For the CRL, time specifies the number of hours the CRL is valid. The valid range for the CRL is from 1 to 720 hours.

 
Defaults

The default lifetimes are:

  • CA certificate—Three years
  • Issued certificates—One year
  • CRL—Six hours

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

By specifying the number of days or hours that a certificate or CRL is valid, this command determines the expiration date included in the certificate or the CRL.

The lifetime ca-certificate command takes effect when the local CA server certificate is first generated (that is, when you initially configure the local CA server and issue the no shutdown command). When the CA certificate expires, the configured lifetime value is used to generate the new CA certificate. You cannot change the lifetime value for existing CA certificates.

Examples

The following example configures the CA to issue certificates that are valid for three months:

ciscoasa(config)# crypto ca server
ciscoasa(config-ca-server)# lifetime certificate 90
ciscoasa(config-ca-server))#
 

The following example configures the CA to issue a CRL that is valid for two days:

ciscoasa(config)# crypto ca server
ciscoasa(config-ca-server)# lifetime crl 48
ciscoasa(config-ca-server)#

 
Related Commands

Command
Description

cdp-url

Specifies the certificate revocation list distribution point (CDP) to be included in the certificates issued by the CA.

crypto ca server

Provides access to the ca server configuration mode command set, which allows you to configure and manage the local CA.

crypto ca server crl issue

Forces the issuance of a CRL.

show crypto ca server

Displays the local CA configuration details in ASCII text.

show crypto ca server cert-db

Displays local CA server certificates.

show crypto ca server crl

Displays the current CRL of the local CA.

lifetime (ikev2 policy mode)

To specify the encryption algorithm in an IKEv2 security association (SA) for AnyConnect IPsec connections, use the encryption command in IKEv2 policy configuration mode. To remove the command and use the default setting, use the no form of this command:

lifetime {{ seconds seconds } | none }

 
Syntax Description

seconds

The lifetime in seconds, from 120 to 2,147,483,647 seconds. The default is 86,400 seconds (24 hours).

 
Defaults

The default is 86,400 seconds (24 hours).

 
Usage Guidelines

An IKEv2 SA is a key used in phase 1 to enable IKEv2 peers to communicate securely in phase 2. After entering the crypto ikev2 policy command, use the lifetime command to set the SA lifetime.

The lifetime sets the interval for IKEv2 SA rekeys. Using the none keyword disables rekeying the SA. However, the AnyConnect client can still rekey the SA.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.4(1)

This command was added.

Examples

The following example enters IKEv2 policy configuration mode and sets the lifetime to 43,200 seconds (12 hours):

ciscoasa(config)# crypto ikev2 policy 1
ciscoasa(config-ikev2-policy)# lifetime 43200

 
Related Commands

Command
Description

encryption

Specifies the encryption algorithm in an IKEv2 SA for AnyConnect IPsec connections.

group

Specifies the Diffie-Hellman group in an IKEv2 SA for AnyConnect IPsec connections.

integrity

Specifies the ESP integrity algorithm in an IKEv2 SA for AnyConnect IPsec connections.

prf

Specifies the pseudo-random function in an IKEv2 SA for AnyConnect IPsec connections.

limit-resource

To specify a resource limit for a class in multiple context mode, use the limit-resource command in class configuration mode. To restore the limit to the default, use the no form of this command. The ASA manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class.

limit-resource [ rate ] { all | resource_name } number [ % ]}

no limit-resource { all | [ rate ] resource_name }

 
Syntax Description

all

Sets the limit for all resources.

number [ % ]

Specifies the resource limit as a fixed number greater than or equal to 1, or as a percentage of the system limit between 1 and 100 (when used with the percent sign (%)). Set the limit to 0 to indicate an unlimited resource, or for VPN resource types, to set the limit to none. For resources that do not have a system limit, you cannot set the percentage (%); you can only set an absolute value.

rate

Specifies that you want to set the rate per second for a resource. See Table 7-1 for resources for which you can set the rate per second.

resource_name

Specifies the resource name for which you want to set a limit. This limit overrides the limit set for all.

 
Defaults

All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.

For most resources, the default class provides unlimited access to resources for all contexts, except for the following limits:

  • Telnet sessions—5 sessions. (The maximum per context.)
  • SSH sessions—5 sessions. (The maximum per context.)
  • IPsec sessions—5 sessions. (The maximum per context.)
  • MAC addresses—65,535 entries. (The maximum per context.)
  • VPN site-to-site tunnels—0 sessions. (You must manually configure the class to allow any VPN sessions.)

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class configuration

  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

9.0(1)

A new resource type, routes, was created to set the maximum number of routing table entries in each context.

New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.

 
Usage Guidelines

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.

Table 7-1 lists the resource types and the limits. See also the show resource types command.

 

Table 7-1 Resource Names and Limits

Resource Name
Rate or Concurrent
Minimum and Maximum Number per Context
System Limit 1
Description

asdm

Concurrent

1 minimum

5 maximum

32

ASDM management sessions.

Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.

conns

Concurrent or Rate

N/A

Concurrent connections: See the CLI configuration guide for the connection limit for your platform.

Rate: N/A

TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

hosts

Concurrent

N/A

N/A

Hosts that can connect through the ASA.

inspects

Rate

N/A

N/A

Application inspections.

mac-addresses

Concurrent

N/A

65,535

For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.

routes

Concurrent

N/A

N/A

Dynamic routes.

ssh

Concurrent

1 minimum

5 maximum

100

SSH sessions.

syslogs

Rate

N/A

N/A

System log messages.

telnet

Concurrent

1 minimum

5 maximum

100

Telnet sessions.

vpn burst other

Concurrent

N/A

The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.

The number of site-to-site VPN sessions allowed beyond the amount assigned to a context with vpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst other can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.

vpn other

Concurrent

N/A

See the “Supported Feature Licenses Per Model” section in the CLI configuration guide for the Other VPN sessions available for your model.

Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.

xlates

Concurrent

N/A

N/A

Address translations.

1.If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.

Examples

The following example sets the default class limit for conns to 10 percent instead of unlimited:

ciscoasa(config)# class default
ciscoasa(config-class)# limit-resource conns 10%
 

All other resources remain at unlimited.

To add a class called gold, enter the following commands:

ciscoasa(config)# class gold
ciscoasa(config-class)# limit-resource mac-addresses 10000
ciscoasa(config-class)# limit-resource conns 15%
ciscoasa(config-class)# limit-resource rate conns 1000
ciscoasa(config-class)# limit-resource rate inspects 500
ciscoasa(config-class)# limit-resource hosts 9000
ciscoasa(config-class)# limit-resource asdm 5
ciscoasa(config-class)# limit-resource ssh 5
ciscoasa(config-class)# limit-resource rate syslogs 5000
ciscoasa(config-class)# limit-resource telnet 5
ciscoasa(config-class)# limit-resource xlates 36000
ciscoasa(config-class)# limit-resource routes 700
 

 
Related Commands

Command
Description

class

Creates a resource class.

context

Configures a security context.

member

Assigns a context to a resource class.

show resource allocation

Shows how you allocated resources across classes.

show resource types

Shows the resource types for which you can set limits.

lmfactor

To set a revalidation policy for caching objects that have only the last-modified timestamp, and no other server-set expiration values, use the lmfactor command in cache configuration mode. To set a new policy for revalidating such objects, use the command again. To reset the attribute to the default value of 20, enter the no version of the command.

lmfactor value

no lmfactor

 
Syntax Description

value

An integer in the range of 0 to 100.

 
Defaults

The default value is 20.

 
Command Modes

The following table shows the modes in which you enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Cache configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The ASA uses the value of the lmfactor to estimate the length of time for which it considers a cached object to be unchanged. This is known as the expiration time. The ASA estimates th expiration time by the time elapsed since the last modification multiplied by the lmfactor.

Setting the lmfactor to zero is equivalent to forcing an immediate revalidation, while setting it to 100 results in the longest allowable time until revalidation.

Examples

The following example shows how to set an lmfactor of 30:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# cache
ciscoasa(config-webvpn-cache)# lmfactor 30
ciscoasa(config-webvpn-cache)#

 
Related Commands

Command
Description

cache

Enters WebVPN Cache mode.

cache-compressed

Configures WebVPN cache compression.

disable

Disables caching.

expiry-time

Configures the expiration time for caching objects without revalidating them.

max-object-size

Defines the maximum size of an object to cache.

min-object-size

Defines the minimum size of an object to cache.

local-unit

To provide a name for this cluster member, use the local-unit command in cluster group configuration mode. To remove the name, use the no form of this command.

local-unit unit_name

no local-unit [ unit_name ]

 
Syntax Description

unit_name

Names this member of the cluster with a unique ASCII string from 1 to 38 characters.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Cluster group configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.0(1)

We introduced this command.

 
Usage Guidelines

Each unit must have a unique name. A unit with a duplicated name will be not be allowed in the cluster.

Examples

The following example names this unit as unit1:

ciscoasa(config)# cluster group cluster1

ciscoasa(cfg-cluster)# local-unit unit1

 

 
Related Commands

Command
Description

clacp system-mac

When using spanned EtherChannels, the ASA uses cLACP to negotiate the EtherChannel with the neighbor switch.

cluster group

Names the cluster and enters cluster configuration mode.

cluster-interface

Specifies the cluster control link interface.

cluster interface-mode

Sets the cluster interface mode.

conn-rebalance

Enables connection rebalancing.

console-replicate

Enables console replication from slave units to the master unit.

enable (cluster group)

Enables clustering.

health-check

Enables the cluster health check feature, which includes unit health monitoring and interface health monitoring.

key

Sets an authentication key for control traffic on the cluster control link.

mtu cluster-interface

Specifies the maximum transmission unit for the cluster control link interface.

priority (cluster group)

Sets the priority of this unit for master unit elections.

log

When using the Modular Policy Framework, log packets that match a match command or class map by using the log command in match or class configuration mode. This log action is available in an inspection policy map (the policy-map type inspect command) for application traffic. To disable this action, use the no form of this command.

l og

no log

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Match and class configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the log command to log all packets that match the match command or class command.

When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect http http_policy_map command where http_policy_map is the name of the inspection policy map.

Examples

The following example sends a log when packets match the http-traffic class map.

ciscoasa(config-cmap)# policy-map type inspect http http-map1
ciscoasa(config-pmap)# class http-traffic
ciscoasa(config-pmap-c)# log
 

 
Related Commands

Commands
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

policy-map type inspect

Defines special actions for application inspection.

show running-config policy-map

Display all current policy map configurations.

log-adj-changes (OSPFv2)

To configure the router to send a syslog message when an OSPF neighbor goes up or down, use the log-adj-changes command in router configuration mode. To turn off this function, use the no form of this command.

log-adj-changes [ detail ]

no log-adj-changes [ detail ]

 
Syntax Description

detail

(Optional) Sends a syslog message for each state change, not just when a neighbor goes up or down.

 
Defaults

This command is enabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.01)

Multiple context mode is supported.

 
Usage Guidelines

The log-adj-changes command is enabled by default; it appears in the running configuration unless removed with the no form of the command.

Examples

The following example disables the sending of a syslog message when an OSPF neighbor goes up or down:

ciscoasa(config)# router ospf 5
ciscoasa(config-router)# no log-adj-changes
 

 
Related Commands

Command
Description

router ospf

Enters router configuration mode.

show ospf

Displays general information about the OSPF routing processes.

log-adjacency-changes (OSPFv3)

To configure the router to send a syslog message when an OSPFv3 neighbor goes up or down, use the log-adjacency-changes command in IPv6 router configuration mode. To turn off this function, use the no form of this command.

log-adjacency-changes [ detail ]

no log-adjacency-changes [ detail ]

 
Syntax Description

detail

(Optional) Sends a syslog message for each state change, not just when a neighbor goes up or down.

 
Defaults

This command is enabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

IPv6 router configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

9.01)

We introduced this command.

 
Usage Guidelines

The log-adjacency-changes command is enabled by default; it appears in the running configuration unless removed with the no form of the command.

Examples

The following example disables the sending of a syslog message when an OSPFv3 neighbor goes up or down:

ciscoasa(config)# ipv6 router ospf 5
ciscoasa(config-router)# no log-adjacency-changes
 

 
Related Commands

Command
Description

ipv6 router ospf

Enters router configuration mode.

show ipv6 ospf

Displays general information about the OSPFv3 routing processes.