64-16
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter64 Configuring IPsec and ISAKMP
Configuring ISAKMP
The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPsec,
IPsec over TCP, NAT-Traversal, or IPsec over UDP.
You enable IPsec over TCP on both the ASA and the client to which it connects.
You can enable IPsec over TCP for up to 10 ports that you specify. If you enter a well-known port, for
example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated
with that port no longer works on the public interface. The consequence is that you can no longer use a
browser to manage the ASA through the public interface. To solve this problem, reconfigure the
HTTP/HTTPS management to different ports.
The default port is 10000.
You must configure TCP port(s) on the client as well as on the ASA. The client configuration must
include at least one of the ports you set for the ASA.
To enable IPsec over TCP for IKEv1 globally on the ASA, enter the following command:
crypto ikev1 ipsec-over-tcp [port port 1...port0]
This example enables IPsec over TCP on port 45:
hostname(config)# crypto ikev1 ipsec-over-tcp port 45
Waiting for Active Sessions to Terminate Before Rebooting
You can schedule an ASA reboot to occur only when all active sessions have terminated voluntarily. This
feature is disabled by default.
To enable waiting for all active sessions to voluntarily terminate before the ASA reboots, enter the
following command:
crypto isakmp reload-wait
For example:
hostname(config)# crypto isakmp reload-wait
Use the reload command to reboot the ASA. If you set the reload-wait command, you can use the
reload quick command to override the reload-wait setting. The reload and reload-wait commands are
available in privileged EXEC mode; neither includes the isakmp prefix.
Alerting Peers Before Disconnecting
Remote access or LAN-to-LAN sessions can drop for several reasons, such as an ASA shutdown or
reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.
The ASA can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN clients, and VPN 3002
hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert
decodes the reason and displays it in the event log or in a pop-up pane. This feature is disabled by default.
Qualified clients and peers include the following:
Security appliances with Alerts enabled
Cisco VPN clients running version 4.0 or later software (no configuration required)
VPN 3002 hardware clients running version 4.0 or later software, with Alerts enabled
VPN 3000 series concentrators running version 4.0 or later software with Alerts enabled
To enable disconnect notification to IPsec peers, enter the crypto isakmp disconnect-notify command.