Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-4387-02 Restrictions for SSG Autologoff, Configuration of SSG Autologoff

Models: OL-4387-02

1 110
Download 110 pages 54.42 Kb
Page 26
Image 26
SSG Autologoff

Chapter 3 SSG Logon and Logoff

SSG Autologoff

SSG Autologoff

The SSG Autologoff feature enables SSG to verify connectivity with each host. SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping.

ARP ping

When autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any data traffic to or from the host occurred during the interval, SSG does not ping the host because the reachability of the host during that interval was established by the data traffic. ARP ping works in deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or through a bridged interface such as an RBE interface.

ICMP ping

When SSG autologoff is configured to use ICMP ping, SSG pings the host to check connectivity until an ICMP response is obtained or the allowable number of tries is used up. If all the tries are used up and the ping was unsuccessful, then SSG initiates logoff for that host. SSG uses ICMP ping one time at each configured interval. If data traffic to or from the host is found during the interval, SSG does not ping the host because reachability was established by the data traffic. ICMP ping works in all types of deployment scenarios and supports overlapping IP users.

Restrictions for SSG Autologoff

The SSG Autologoff feature has the following restrictions:

Use only one method of SSG autologoff at a time: ARP ping or ICMP ping.

Use ARP ping only in deployment scenarios in which all hosts are directly connected to the SSG through a broadcast interface such as an Ethernet interface or through a bridged interface such as an RBE interface. ICMP ping works in all types of deployment scenarios.

ARP ping works only on hosts that have a MAC address.

ARP ping does not support overlapping IP addresses.

SSG autologoff that uses ARP ping does not work for hosts with static ARP entries.

If you configure both the idle timers and ICMP-based autologoff, you must set the autologoff interval to a value that is at least twice as long as the idle timeout interval. Otherwise, the ICMP messages reset the idle timer and the user is only logged out if the user does not respond to the ICMP ping.

Configuration of SSG Autologoff

To configure the SSG Autologoff feature, use the ssg auto-logoffcommand in global configuration mode. For more information, refer to the SSG Autologoff, Release 12.2(4)B feature module.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

3-2

OL-4387-02

 

 

Page 25 Page 27
Page 26
Image 26
Cisco Systems OL-4387-02 manual Restrictions for SSG Autologoff, Configuration of SSG Autologoff, ARP ping, ICMP ping
Page 25 Page 27