Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
30-39
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
Default Idle Timeout The amount of time, in seconds, that an SSL or IKEv2 IPSec VPN
session can be idle before the security appliance terminates it.
This value applies only if the Idle Timeout value in the group policy for
the user is set to zero (0), which means there is no timeout value;
otherwise the group policy Idle Timeout value takes precedence over
the timeout you configure here. The minimum value you can enter is 60
seconds (1 minute). The default is 30 minutes (1800 seconds). The
maximum is 24 hours (86400 seconds).
We recommend that you set this attribute to a short time period. This is
because a browser set to disable cookies (or one that prompts for
cookies and then denies them) can result in a user not connecting but
nevertheless appearing in the sessions database. If the Simultaneous
Logins attribute for the group policy is set to one, the user cannot log
back in because the database indicates that the maximum number of
connections already exists. Setting a low idle timeout removes such
phantom sessions quickly, and lets a user log in again.
Max Session Limit The maximum number of SSL or IKEv2 IPSec VPN sessions allowed.
Be aware that the different ASA models have different maximum
session limits:
ASA 5505—25.
ASA 5510—250.
ASA 5520—750.
ASA 5540—2500.
ASA 5550, 5585-X with SSP-10—5000.
ASA 5580, 5585-X (other models)—10,000.
Allow Users to Select
Connection Profile in Portal
Page
Whether to present a list of configured connection profiles (tunnel
groups) from which the user can select the appropriate profile when the
user logs in (for example, in the SSL VPN portal page). If you do not
select this option, the user cannot select a profile and must use the
default profile for the connection.
Tip You must select this option for remote access IKEv2 IPSec
VPNs. It is optional for SSL VPNs.
Enable AnyConnect Access Whether to allow the user to use the AnyConnect VPN client to make
an SSL or IKEv2 IPSec VPN connection. The option is selected by
default. For details about AnyConnect VPN clients, see Understanding
SSL VPN AnyConnect Client Settings, page 30-52.
Tip You must select this option for remote access IKEv2 IPSec
VPNs. For SSL VPN, select this option if you want to enable
full client access.
Enable AnyConnect
Essentials
Whether to enable the AnyConnect Essentials feature, which can be
used with both SSL and IKEv2 IPSec VPNs. For details about
AnyConnect Essentials VPN clients, see Understanding SSL VPN
Access Policies (ASA), page 30-36.
Table 30-16 SSL VPN Access Policy Page (Continued)
Element Description