14-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter14 Managing TrustSec Firewall Policies
Configuring TrustSec Firewall Policies
Defining SXP Connection Peers
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate
the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support
to hardware that supports SGTs and security group ACLs. SXP, a control plane protocol, passes IP-SGT
mappings from authentication points (such as legacy access layer switches) to upstream devices in the
network. SXP connections between peers are point-to-point and use TCP as the underlying transport
protocol.
Retry Timer The default time interval between ASA attempts to set up new SXP
connections between SXP peers. Enter the retry timer value as a
number of seconds in the range of 0 to 64000 seconds. If you specify 0
seconds, the timer never expires and the ASA will not attempt to
connect to SXP peers. By default, the timer value is 120 seconds.
The ASA will continue to attempt to connect to new SXP peers until a
successful connection is made. The retry timer is triggered as long as
there is one SXP connection on the ASA that is not up.
When the retry timer expires, the ASA goes through the connection
database and if the database contains any connections that are off or in
a "pending on" state, the ASA restarts the retry timer.
Reconcile Timer The reconcile timer value as a number of seconds in the range of 1 to
64000 seconds. By default, the timer value is 120 seconds.
After an SXP peer terminates its SXP connection, the ASA starts a hold
down timer. If an SXP peer connects while the hold down timer is
running, the ASA starts the reconcile timer; then, the ASA updates the
SXP mapping database to learn the latest mappings.
When the reconcile timer expires, the ASA scans the SXP mapping
database to identify stale mapping entries (entries that were learned in
a previous connection session). The ASA marks these connections as
obsolete. When the reconcile timer expires, the ASA removes the
obsolete entries from the SXP mapping database.
Note You cannot specify 0 for the timer because specifying 0 would
prevent the reconcile timer from starting. Not allowing the
reconcile timer to run would keep stale entries for an undefined
time and cause unexpected results from the policy enforcement.
Server Group Name Enter or select the name of the security group created on the ISE for the
ASA.
Note If you choose to select a server group, you are also give the
option to add a AAA Server group.
The server group name you specify here must match the name of the
security group created on the ISE for the ASA. If these two group
names do not match, the ASA will not be able to communicate with the
ISE. Contact your ISE administrator if you do not have this
information.
Table14-1 SXP Settings Page (Continued)
Element Description