g – h

gateway

To specify which group of call agents are managing a particular gateway, use the gateway command in mgcp map configuration mode. To remove the configuration, use the no form of this command.

gateway ip_address [ group_id ]

Syntax Description

gateway

The group of call agents that are managing a particular gateway.

group_id

The ID of the call agent group, from 0 to 2147483647.

ip_address

The IP address of the gateway.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Mgcp map configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Use the gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the >ip_address option. The >group_id option is a number from 0 to 4294967295 that must correspond with the >group_id of the call agents that are managing the gateway. A gateway may only belong to one group.

Examples

The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:


ciscoasa(config)# mgcp-map mgcp_policy
ciscoasa(config-mgcp-map)# call-agent 10.10.11.5 101
ciscoasa(config-mgcp-map)# call-agent 10.10.11.6 101
ciscoasa(config-mgcp-map)# call-agent 10.10.11.7 102
ciscoasa(config-mgcp-map)# call-agent 10.10.11.8 102
ciscoasa(config-mgcp-map)# gateway 10.10.10.115 101
ciscoasa(config-mgcp-map)# gateway 10.10.10.116 102
ciscoasa(config-mgcp-map)# gateway 10.10.10.117 102

gateway-fqdn

To configure the FQDN of the ASA. use the gateway-fqdn command. To remove the configuration, use the no form of this command.

gateway-fqdn value { FQDN_Name | none }

no gateway-fqdn

Syntax Description

fqdn-name

Defines the ASA FQDN to push down to the Secure Client.

none

Defines the FQDN as null value where the FQDN is not specified. The global FQDN configured using hostname and domain-name commands will be used if available.

Command Default

The default FQDN name is not set in the default group policy. New group policies are set to inherit this value.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

If you have configured Load Balancing between your ASAs, specify the FQDN of the ASA in order to resolve the ASA IP address used for re-establishing the VPN session. This setting is critical to support client roaming between networks of different IP protocols (such as IPv4 to IPv6).

You cannot use the ASA FQDN present in the Secure Client profile to derive the ASA IP address after roaming. The addresses may not match the correct device (the one the tunnel was established to) in the load balancing scenario.

If the ASA’s FQDN is not pushed to the client, the client will try to reconnect to whatever IP address the tunnel had previously established. In order to support roaming between networks of different IP protocols (from IPv4 to IPv6), Secure Client must perform name resolution of the device FQDN after roaming, so that it can determine which ASA address to use for re-establishing the tunnel. The client uses the ASA FQDN present in its profile during the initial connection. During subsequent session reconnects, it always uses the device FQDN pushed by ASA (and configured by the administrator in the group policy), when available. If the FQDN is not configured, the ASA derives the device FQDN (and sends it to the client) from whatever is set under Device Setup > Device Name/Password and Domain Name in ASDM.

If the device FQDN is not pushed by the ASA, the client cannot reestablish the VPN session after roaming between networks of different IP protocols.

Usage Guidelines

Examples

The following example defines the FQDN of the ASA as ASAName.example.cisco.com


ciscoasa(config-group-policy)# gateway-fqdn value ASAName.example.cisco.com
ciscoasa(config-group-policy)# 

The following example removes the FQDN of the ASA from the group policy. The group policy then inherits this value from the Default Group Policy.


ciscoasa(config-group-policy)# no gateway-fqdn
ciscoasa(config-group-policy)# 

The following example defines the FQDN as having no value. The global FQDN configurd using ciscoasa and domain-name commands will be used if available.


ciscoasa(config-group-policy)# gateway-fqdn none
ciscoasa(config-group-policy)# 

graceful-restart

To configure graceful restart for OSPFv3 on a NSF capable ASA, use the graceful-restart command under router configuration mode. Optionally, configure the graceful restart interval with the restart-interval option. Use the no form of the command to disable graceful-restart.

graceful-restart [ restart-interval seconds ]

no graceful-restart

Syntax Description

restart-interval seconds

(Optional) Specifies the length of the graceful restart interval, in seconds. The range is from 1 to 1800. The default is 120.

Note

 
For a restart interval below 30 seconds, graceful restart will be terminated.

Command Default

OSPFv3 graceful restart is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router configuration mode

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.3(1)

This command was introduced.

Usage Guidelines

Use the graceful-restart command to allow OSPFv3 to remain in the data forwarding path through a process restart.


Note


Set the restart interval to be long enough to allow a typical reboot cycle for ASA. Do not set the restart-interval too long to avoid the network relying on old route information.

Examples

The following example enables OSPFv3 graceful-restart:


ciscoasa
(config)# ipv6 router ospf 1
ciscoasa
(config-router)# graceful-restart restart-interval 180

graceful-restart helper

To configure graceful restart for OSPFv3 on a NSF aware ASA, use the graceful-restartUse the no form of the command to disable graceful-restart helper mode.

graceful-restart helper [ strict-lsa-checking ]

no graceful-restart helper

Syntax Description

strict-lsa-checking

(Optional) Enables strict link-state advertisement (LSA) checking for helper mode.

Command Default

OSPFv3 graceful restart helper mode is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router configuration mode

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.3(1)

This command was introduced.

Usage Guidelines

When an ASA has NSF enabled, it is said to be NSF-capable and will operate in graceful restart mode--the OSPF process performs nonstop forwarding recovery due to a Route Processor (RP) switchover. By default, the neighboring ASAs of the NSF-capable ASA will be NSF-aware and will operate in NSF helper mode. When the NSF-capable ASA is performing graceful restart, the helper ASAs assist in the nonstop forwarding recovery process. If you do not want the ASA to help the restarting neighbor with nonstop forwarding recovery, enter the no nsf ietf helper command.

To enable strict LSA checking on both NSF-aware and NSF-capable ASAs, enter the graceful-restart helper strict-lsa-checking command. However, strict LSA checking will not become effective until the ASA becomes a helper ASA during a graceful restart process. With strict LSA checking enabled, the helper ASA will terminate the helping process of the restarting ASA if it detects that there is a change to an LSA that would be flooded to the restarting ASA or if there is a changed LSA on the retransmission list of the restarting ASA when the graceful restart process is initiated.

Examples

The following example enables graceful-restart helper with strict LSA checking:


ciscoasa
(config)# ipv6 router ospf 1
ciscoasa
(config-router)# graceful-restart helper strict-lsa-checking

group

To specify the Diffie-Hellman group in an IKEv2 security association (SA) for AnyConnect IPsec connections, use the group command in ikev2 policy configuration mode. To remove the command and use the default setting, use the no form of this command:

group { 1 | 2 | 5 | 14 | 19 | 20 | 21 | 24 }

no group { 1 | 2 | 5 | 14 | 19 | 20 | 21 | 24 }

Syntax Description

1

Specifies the 768-bit Diffie-Hellman group 1 (not supported in FIPS mode).

2

Specifies the 1024-bit Diffie-Hellman group 2.

5

Specifies the 1536-bit Diffie-Hellman group 5.

14

Chooses ECDH group as the IKEv2 DH key exchange group.

19

Chooses ECDH groups as the IKEv2 DH key exchange group.

20

Chooses ECDH groups as the IKEv2 DH key exchange group.

21

Chooses ECDH groups as the IKEv2 DH key exchange group.

24

Chooses ECDH groups as the IKEv2 DH key exchange group.

Command Default

The default Diffie-Hellman group is group 14.

Usage Guidelines

An IKEv2 SA is a key used in Phase 1 to enable IKEv2 peers to communicate securely in Phase 2. After entering the crypto ikev2 policy command, you can use the group command to set the SA Diffie-Hellman group. The ASA and the Secure Client use the group identifier to derive a shared secret without transmitting it to each other. The lower the Diffie-Hellman group number, the less CPU time it requires to execute. The higher the Diffie-Hellman group number, the greater the security.

When the Secure Client is operating in non-FIPS mode, the ASA supports Diffie-Hellman groups 1, 2 and 5. In FIPS mode, it supports groups 2 and 5. Therefore, if you configure the ASA to use only group 1, the Secure Client in FIPS mode will fail to connect.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ikev2 policy configuration

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

9.0(1)

The ability to choose an ECDH group as the IKEv2 DH key exchange group was added.

9.13.(1)

The default DH group is group 14. The command options group 2 , group 5 and group 24 was deprecated and will be removed in the later release.

Examples

The following example enters ikev2 policy configuration mode and sets the Diffie-Hellman group to group 5:


ciscoasa(config)# crypto ikev2 policy 1
ciscoasa(config-ikev2-policy)# group 5
ciscoasa(config-ikev2-policy) group 2(Deprecated)
ciscoasa(config-ikev2-policy) group 5(Deprecated)
ciscoasa(config-ikev2-policy) group 24(Deprecated)
ciscoasa(config-ikev2-policy) group 14

group-alias

To create one or more alternate names by which the user can refer to a tunnel group, use the group-alias command in tunnel-group webvpn configuration mode. To remove an alias from the list, use the no form of this command.

group-alias name [ enable | disable ]

no group-alias name

Syntax Description

disable

Disables the group alias.

enable

Enables a previously disabled group alias.

name

Specifies the name of a tunnel group alias. This can be any string you choose, except that the string cannot contain spaces.

Command Default

There is no default group alias, but if you do specify a group alias, that alias is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Tunnel-group webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

The group alias that you specify appears in the drop-down list on the login page. Each group can have multiple aliases or no alias. This command is useful when the same group is known by several common names, such as “Devtest” and “QA”.

Examples

The following example shows the commands for configuring the tunnel group named “devtest” and establishing the aliases “QA” and “Fra-QA” for the group:


ciscoasa(config)# tunnel-group devtest type webvpn
ciscoasa(config)# tunnel-group devtest webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias QA
ciscoasa(config-tunnel-webvpn)# group-alias Fra-QA
ciscoasa(config-tunnel-webvpn)# 

group-delimiter

To enable group name parsing and specify the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated, use the group-delimiter command in global configuration mode. To disable this group name parsing, use the no form of this command.

group-delimiterdelimiter

no group-delimiter

Syntax Description

delimiter

Specifies the character to use as the group name delimiter. Valid values are: @ , # , and ! .

Command Default

By default, no delimiter is specified, disabling group-name parsing.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The delimiter is used to parse tunnel group names from user names when tunnels are negotiated. By default, no delimiter is specified, disabling group name parsing.

Examples

This example shows the group-delimiter command to change the group delimiter to the hash mark (#):


ciscoasa(config)# group-delimiter #

group-lock

To restrict remote users to access through the tunnel group only, issue the group-lock command in group-policy configuration mode or username configuration mode. To remove the group-lock attribute from the running configuration, use the no form of this command.

group-lock { value tunnel-grp-name | none }

no group-lock

Syntax Description

none

Sets group-lock to a null value, thereby allowing no group lock restriction. Prevents inheriting a group lock value from a default or specified group policy.

value tunnel-grp-name

Specifies the name of an existing tunnel group that the ASA requires for the user to connect.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Username configuration

  • Yes

  • Yes

Usage Guidelines

To disable group lock, use the group-lock none command. The no group-lock command allows inheritance of a value from another group policy.

Group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the ASA prevents the user from connecting. If you do not configure group lock, the ASA authenticates users without regard to the assigned group.

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example shows how to set group lock for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# group-lock value tunnel group name 

group-object

To add group objects to object groups, use thegroup-object command while configuring the object. To remove group objects, use the no form of this command.

group-objectobj_grp_name

no group-object obj_grp_name

Syntax Description

obj_grp_name

Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the “_”, “-”, “.” characters.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Protocol, network, service, icmp-type, security group, and user object-group configuration modes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.4(2)

Support for adding object groups in the object-group user configuration mode for use with the Identity Firewall feature was added.

Usage Guidelines

The group-object command is used with the object-group command to add an object that itself is an object group. This sub-command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.

Duplicate objects are allowed in an object group if they are group objects. For example, if object 1 is in both group A and group B, it is allowed to define a group C which includes both A and B. It is not allowed, however, to include a group object which causes the group hierarchy to become circular. For example, it is not allowed to have group A include group B and then also have group B include group A.

The maximum allowed levels of a hierarchical object group is 10.


Note


The ASA does not support IPv6 nested network object groups, so you cannot group an object with IPv6 entries under another IPv6 object group.

Examples

The following example shows how to use the group-object command to eliminate the need to duplicate hosts:


ciscoasa(config)# object-group network host_grp_1
ciscoasa(config-network)# network-object host 192.168.1.1
ciscoasa(config-network)# network-object host 192.168.1.2 
ciscoasa(config-network)# exit
ciscoasa(config)# object-group network host_grp_2
ciscoasa(config-network)# network-object host 172.23.56.1
ciscoasa(config-network)# network-object host 172.23.56.2
ciscoasa(config-network)# exit
ciscoasa(config)# object-group network all_hosts
ciscoasa(config-network)# group-object host_grp_1
ciscoasa(config-network)# group-object host_grp_2
ciscoasa(config-network)# exit
ciscoasa(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp
ciscoasa(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp
ciscoasa(config)# access-list all permit tcp object-group all-hosts any eq w

The following example shows how to use the group-object command to add a local user group to a user group object:


ciscoasa(config)# object-group user sampleuser1-group
ciscoasa(config-object-group user)# description group members of sampleuser1-group
ciscoasa(config-object-group user)# user-group EXAMPLE\\group.sampleusers-all
ciscoasa(config-object-group user)# user EXAMPLE\user2
ciscoasa(config-object-group user)# exit
ciscoasa(config)# object-group user sampleuser2-group
ciscoasa(config-object-group user)# description group members of sampleuser2-group
ciscoasa(config-object-group user)# group-object sampleuser1-group
ciscoasa(config-object-group user)# user-group EXAMPLE\\group.sampleusers-marketing
ciscoasa(config-object-group user)# user EXAMPLE\user3

group-policy

To create or edit a group policy, use the group-policy command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.

group-policy name { internal [ from group-policy_name ] | external server-group server_group password server_password }

no group-policy name

Syntax Description

external server-group server_group

Specifies the group policy as external and identifies the AAA server group for the ASA to query for attributes.

from group-policy_name

Initializes the attributes of this internal group policy to the values of a preexisting group policy.

internal

Identifies the group policy as internal.

name

Specifies the name of the group policy. The name can be up to 64 characters long and can contain spaces. Group names with spaces must be enclosed in double quotes, for example, “Sales Group”.

password server_password

Provides the password to use when retrieving attributes from the external AAA server group. The password can be up to 128 characters long and cannot contain spaces.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0.1

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

A default group policy, named “DefaultGroupPolicy,” always exists on the ASA. However, this default group policy does not take effect unless you configure the ASA to use it. For configuration instructions, see the CLI configuration guide.

Use the group-policy attributes command to enter group-policy configuration mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:

Attribute

Default Value

backup-servers

keep-client-config

banner

none

client-access-rules

none

client-firewall

none

default-domain

none

dns-server

none

group-lock

none

ip-comp

disable

ip-phone-bypass

disabled

ipsec-udp

disabled

ipsec-udp-port

10000

leap-bypass

disabled

nem

disabled

password-storage

disabled

pfs

disable

re-xauth

disable

secure-unit-authentication

disabled

split-dns

none

split-tunnel-network-list

none

split-tunnel-policy

tunnelall

user-authentication

disabled

user-authentication-idle-timeout

none

vpn-access-hours

unrestricted

vpn-filter

none

vpn-idle-timeout

30 minutes

vpn-session-timeout

none

vpn-simultaneous-logins

3

vpn-tunnel-protocol

IPsec WebVPN

wins-server

none

In addition, you can configure webvpn configuration mode attributes for the group policy, either by entering the webvpn command in group policy configuration mode or by entering the group-policy attributes command and then entering the webvpn command in group-webvpn configuration mode. See the description of the group-policy attributes command for details.

Examples

The following example shows how to create an internal group policy with the name “FirstGroup”:


ciscoasa
(config)#
 group-policy FirstGroup internal

The following example shows how to create an external group policy with the name “ExternalGroup,” the AAA server group “BostonAAA,” and the password “12345678”:


ciscoasa
(config)#
 group-policy ExternalGroup external server-group BostonAAA password 12345678

group-policy attributes

To enter the group-policy configuration mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, user the no form of this command.

group-policynameattributes

no group-policy name attributes

Syntax Description

name

Specifies the name of the group policy.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

In group-policy configuration mode, you can configure Attribute-Value Pairs for a specified group policy or enter group-policy webvpn configuration mode to configure WebVPN attributes for the group.

The syntax of the commands in attributes mode have the following characteristics in common:

  • The no form removes the attribute from the running configuration, and enables inheritance of a value from another group policy.

  • The none keyword sets the attribute in the running configuration to a null value, thereby preventing inheritance.

  • Boolean attributes have explicit syntax for enabled and disabled settings.

A default group policy, named DefaultGroupPolicy, always exists on the ASA. However, this default group policy does not take effect unless you configure the ASA to use it. For configuration instructions, see the CLI configuration guide.

The group-policy attributes command enters group-policy configuration mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:

Attribute

Default Value

backup-servers

keep-client-config

banner

none

client-access-rule

none

client-bypass-protocol

disable

client-firewall

none

default-domain

none

dns-server

none

group-lock

none

ip-comp

disable

ip-phone-bypass

disabled

ipsec-udp

disabled

ipsec-udp-port

10000

leap-bypass

disabled

nem

disabled

password-storage

disabled

pfs

disable

re-xauth

disable

secure-unit-authentication

disabled

split-dns

none

split-tunnel-network-list

none

split-tunnel-policy

tunnelall

user-authentication

disabled

user-authentication-idle-timeout

none

vpn-access-hours

unrestricted

vpn-filter

none

vpn-idle-timeout

30 minutes

vpn-session-timeout

none

vpn-simultaneous-logins

3

vpn-tunnel-protocol

IPsec WebVPN

wins-server

none

In addition, you can configure webvpn-mode attributes for the group policy, by entering the group-policy attributes command and then entering the webvpn command in group-policy configuration mode. See the description of the webvpn command (group-policy attributes and username attributes modes) for details.

Examples

The following example shows how to enter group-policy attributes mode for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)#

group-prompt

To customize the group prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the ASA, use the group-prompt command in webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.

group-prompt { text | style } value

group-prompt { text | style } value

Syntax Description

text

Specifies a change to the text.

style

Specifies a change the style.

value

The actual text to display or Cascading Style Sheet (CSS) parameters (the maximum number is 256 characters).

Command Default

The default text of the group prompt is “GROUP:”.

The default style of the group prompt is color:black;font-weight:bold;text-align:right.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn customization configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

The style option is expressed as any valid CSS parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

  • RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma-separated entry indicates the level of intensity of each color to combine with the others.

  • HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.


Note


To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

Examples

In the following example, the text is changed to “Corporate Group:”, and the default style is changed with the font weight increased to bolder:


ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# group-prompt text Corporate Group:
ciscoasa(config-webvpn-custom)# group-prompt style font-weight:bolder

group-search-timeout

To specify the maximum time to wait for a response from an Active Directory server queried using the show ad-groups command, use the group-search-timeout command in aaa-server host configuration mode. To remove the command from the configuration, use the no form of the command:

group-search-timeoutseconds

no group-search-timeout seconds

Syntax Description

seconds

The time to wait for a response from the Active Directory server, from 1 to 300 seconds.

Command Default

The default is 10 seconds.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Aaa-server host configuration

  • Yes

  • Yes

Command History

Release

Modification

8.0(4)

This command is added.

Usage Guidelines

The show ad-groups command applies only to Active Directory servers using LDAP, and displays groups that are listed on an Active Directory server. Use the group-search-timeout command to adjust the time to wait for a response from the server.

Examples

The following example sets the timeout to 20 seconds:


ciscoasa(config-aaa-server-host)#group-search-timeout 20

group-url

To specify incoming URLs or IP addresses for the group, use the group-url command in tunnel-group webvpn configuration mode. To remove a URL from the list, use the no form of this command.

group-url url [ enable | disable ]

no group-url url

Syntax Description

disable

Disables the URL, but does not remove it from the list.

enable

Enables the URL.

url

Specifies a URL or IP address for this tunnel group.

Command Default

There is no default URL or IP address, but if you do specify a URL or IP address, it is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Tunnel-group webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

Specifying a group URL or IP address eliminates the need for the user to select a group at login. When a user logs in, the ASA looks for the user’s incoming URL/address in the tunnel group policy table. If it finds the URL/address and if this command is enabled in the tunnel group, then the ASA automatically selects the associated tunnel group and presents the user with only the username and password fields in the login window. This simplifies the user interface and has the added advantage of never exposing the list of groups to the user. The login window that the user sees uses the customizations configured for that tunnel group.

If the URL/address is disabled and the group-alias command is configured, then the drop-down list of groups is also displayed, and the user must make a selection.

You can configure multiple URLs/addresses (or none) for a group. Each URL/address can be enabled or disabled individually. You must use a separate group-url command for each URL/address specified. You must specify the entire URL/address, including either the HTTP or HTTPS protocol.

You cannot associate the same URL/address with multiple groups. The ASA verifies the uniqueness of the URL/address before accepting it for a tunnel group.

Examples

The following example shows the commands for configuring the WebVPN tunnel group named “test” and establishing two group URLs, “http://www.cisco.com” and “https://supplier.example.com” for the group:


ciscoasa(config)# tunnel-group test type webvpn
ciscoasa(config)# tunnel-group test webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-url http://www.cisco.com
ciscoasa(config-tunnel-webvpn)# group-url https://supplier.example.com
ciscoasa(config-tunnel-webvpn)# 

The following example enables the group URLs http://www.cisco.com and http://192.168.10.10 for the tunnel group named RadiusServer:


ciscoasa(config)# tunnel-group RadiusServer type webvpn
ciscoasa(config)# tunnel-group RadiusServer general-attributes
ciscoasa(config-tunnel-general)# authentication server-group RADIUS
ciscoasa(config-tunnel-general)# accounting-server-group RADIUS
ciscoasa(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributes
ciscoasa(config-tunnel-webvpn)# group-alias “Cisco Remote Access” enable
ciscoasa(config-tunnel-webvpn)# group-url http://www.cisco.com 
enable
ciscoasa(config-tunnel-webvpn)# group-url http://192.168.10.10 
enable
ciscoasa(config-tunnel-webvpn)# 

gtp-u-header-check

To check whether the inner payload of a GTP data packet is a valid IP packet and drop it if it is not, use the gtp-u-header-check command in GTP inspection policy map parameters configuration mode. Use the no form of this command disable the check.

gtp-u-header-check [ anti-spoofing [ gtpv2-dhcp-bypass | gtpv2-dhcp-drop ] ]

no gtp-u-header-check [ anti-spoofing [ gtpv2-dhcp-bypass | gtpv2-dhcp-drop ] ]

Syntax Description

anti-spoofing

Checks whether the mobile user IP address in the IP header of the inner payload matches the IP address assigned in GTP control messages such as Create Session Response, and drops the GTP-U message if the IP addresses do not match. This check supports IPv4, IPv6, and IPv4v6 PDN Types.

If the mobile station gets its address using DHCP, the end-user IP address in GTPv2 is 0.0.0.0 (IPv4) or prefix ::0 (IPv6), so in this case, the system updates the end-user IP address with the first IP address found in the inner packets. You can change the default behavior for DHCP-obtained addresses using the gtpv2-dhcp keywords.

gtpv2-dhcp-bypass

Do not update the 0.0.0.0 or prefix ::0 address. Instead, allow packets where the end-user IP address is 0.0.0.0 or prefix ::0. This option bypasses the anti-spoofing check when DHCP is used to obtain the IP address.

gtpv2-dhcp-drop

Do not update the 0.0.0.0 or prefix ::0 address. Instead, drop all packets where the end-user IP address is 0.0.0.0 or prefix ::0. This option prevents access for users that use DHCP to obtain the IP address.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration mode

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.10(1)

This command was introduced.

Usage Guidelines

You can use this command to implement anti-spoofing. It is possible for hackers to pretend (spoof) that they are another customer by using another IP address than the one assigned through GTP-C. Anti-spoofing checks whether the GTP-U address used is actually the one which was assigned using GTP-C.

Examples

The following example enables anti-spoofing with the default behavior.


ciscoasa(config)# policy-map type inspect gtp gtp-map
 
ciscoasa(config-pmap)# parameters
 
ciscoasa(config-pmap-p)# gtp-u-header-check anti-spoofing

h245-tunnel-block

To block H.245 tunneling in H.323, use the h245-tunnel-block command in parameters configuration mode. To disable this feature, use the no form of this command.

h245-tunnel-block action [ drop-connection | log ]

no h245-tunnel-block action [ drop-connection | log ]

Syntax Description

drop-connection

Drops the call setup connection when an H.245 tunnel is detected.

log

Issues a log when an H.245 tunnel is detected.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Examples

The following example shows how to block H.245 tunneling on an H.323 call:


ciscoasa(config)# policy-map type inspect h323 h323_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# h245-tunnel-block action drop-connection

hardware-bypass

To enable the hardware bypass on the Cisco ISA 3000 so that traffic continues to flow between an interface pair during a power outage, use the hardware-bypass command in global configuration mode. To disable the hardware bypass, use the no form of this command.

hardware-bypass GigabitEthernet { 1/1-1/2 | 1/3-1/4 } [ sticky ]

no hardware-bypass GigabitEthernet { 1/1-1/2 | 1/3-1/4 } [ sticky ]


Note


This feature is only available on the Cisco ISA 3000 appliance.

Syntax Description

GigabitEthernet {1/1-1/2 | 1/3-1/4 }

Supported interface pairs are copper GigabitEthernet 1/1 & 1/2; and GigabitEthernet 1/3 & 1/4. If you have a fiber Ethernet model, only the copper Ethernet pair (GigabitEthernet 1/1 & 1/2) supports hardware bypass. Enter this command separately for each pair.

sticky

(Optional) Keeps the appliance in hardware bypass mode after the power comes back and the appliance boots up. In this case, you need to manually turn off the hardware bypass when you are ready using the no hardware-bypass manual command; this option lets you control when the brief interruption occurs.

Command Default

Hardware bypass is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

Command History

Release

Modification

9.4(1.225)

This command was added.

Usage Guidelines

When the hardware bypass is active, no firewall functions are in place, so make sure you understand the risks of allowing traffic through. When the hardware bypass is deactivated, there is a brief connection interruption as the ASA takes over the flows.


Note


When the ISA 3000 loses power and goes into hardware bypass mode, only the above interface pairs can communicate; when using the default configuration, inside1 <---> inside2, and outside1 <---> outside2 can no longer communicate. Any existing connections between these interfaces will be lost.

Examples

The following example disables hardware bypass for GigabitEthernet 1/1 and 1/2, and enables it for 1/3 and 1/4:


ciscoasa(config)# no hardware-bypass GigabitEthernet 1/1-1/2
ciscoasa(config)# hardware-bypass GigabitEthernet 1/3-1/4

hardware-bypass boot-delay

To configure the hardware bypass on the Cisco ISA 3000 to remain active until after the ASA Firepower module boots up, use the hardware-bypass boot-delay command in global configuration mode. To disable the boot delay, use the no form of this command.

hardware-bypass boot-delay module-up sfr

no hardware-bypass boot-delay module-up sfr


Note


This feature is only available on the Cisco ISA 3000 appliance.

Syntax Description

module-up sfr

Delays disabling the hardware bypass until after the ASA FirePOWER module boots up.

Command Default

The boot delay is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

Command History

Release

Modification

9.4(1.225)

This command was added.

Usage Guidelines

You must enable hardware bypass using the hardware-bypass command without the sticky option for the hardware-bypass boot-delay command to operate. Without the hardware-bypass boot-delay command, the hardware bypass is likely to become inactive before the ASA FirePOWER module finishes booting up. This scenario can cause traffic to be dropped if you configured the module to fail-close, for example.

Examples

The following example enables hardware bypass (without the sticky option), and enables the boot delay:


ciscoasa(config)# hardware-bypass GigabitEthernet 1/1-1/2
ciscoasa(config)# hardware-bypass GigabitEthernet 1/3-1/4
ciscoasa(config)# hardware-bypass boot-delay module-up sfr

hardware-bypass manual

To manually activate or deactivate the hardware bypass on the Cisco ISA 3000, use the hardware-bypass manual command in privileged EXEC mode.

hardware-bypass manual GigabitEthernet { 1/1-1/2 | 1/3-1/4 }

no hardware-bypass manual GigabitEthernet { 1/1-1/2 | 1/3-1/4 }


Note


This feature is only available on the Cisco ISA 3000 appliance.

Syntax Description

GigabitEthernet {1/1-1/2 | 1/3-1/4 }

Supported interface pairs are copper GigabitEthernet 1/1 & 1/2; and GigabitEthernet 1/3 & 1/4. If you have a fiber Ethernet model, only the copper Ethernet pair (GigabitEthernet 1/1 & 1/2) supports hardware bypass. Enter this command separately for each pair.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

Command History

Release

Modification

9.4(1.225)

This command was added.

Usage Guidelines

When you configure the hardware-bypass command sticky option that keeps bypass enabled, you must use the hardware-bypass manual command to deactivate hardware bypass after power is restored.

This command changes the current hardware bypass state. In the event of a power failure, the hardware-bypass configuration command actions take priority. For example, if hardware-bypass is disabled in the configuration, but you enable hardware bypass manually, then at a power failure, hardware bypass becomes disabled according to the configuration.

Examples

The following example manually deactivates hardware bypass for GigabitEthernet 1/2 and 1/2:


ciscoasa# no hardware-bypass manual GigabitEthernet 1/1-1/2

health-check

To enable the cluster health check feature, use the health-check command in cluster group configuration mode. To disable the health check, use the no form of this command.

health-check [ holdtime timeout ] [ vss-enabled ]

no health-check [ holdtime timeout ] [ vss-enabled ]

Syntax Description

holdtime timeout

Determines the amount of time between keepalive or interface status messages, between .3 (9.8(1) and later or .8 (9.7 and earlier) and 45 seconds. The default is 3 seconds. Note that configuring a lower holdtime will increase CCL messaging and CPU activity. If you downgrade your ASA software after setting the hold time to .3 - .7, this setting will revert to the default of 3 seconds because the new setting is unsupported.

vss-enabled

If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable the vss-enabled option. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable vss-enabled , the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.

Command Default

Health check is enabled by default, with a holdtime of 3 seconds.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Cluster group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

9.1(4)

The vss-enabled keyword was added.

9.8(1)

The holdtime minimum value was lowered to .3 seconds.

Usage Guidelines

When any topology changes occur (such as adding or removing a data interface, enabling or disabling an interface on the ASA or the switch, or adding an additional switch to form a VSS or vPC) you should disable the health check feature and also disable interface monitoring for the disabled interfaces (no health-check monitor-interface ). When the topology change is complete, and the configuration change is synced to all units, you can re-enable the health check feature.

Keepalive messages between members determine member health. If a unit does not receive any keepalive messages from a peer unit within the holdtime period, the peer unit is considered unresponsive or dead.


Note


In 9.8(1), the unit health check messaging scheme was changed to heartbeats in the data plane from keepalives in the control plane. Using the data plane improves CPU usage and reliability.

This command is not part of the bootstrap configuration, and is replicated from the master unit to the slave units.

Examples

The following example disables the health check:


ciscoasa(config)# cluster group cluster1
ciscoasa(cfg-cluster)# no health-check

health-check application

To enable Cloud Web Security application health checking, use the health-check application command in scansafe general-options configuration mode. To remove health checking or return to the default timeout, use the no form of this command.

health-check application { [ url url_string ] | timeout seconds }

no health-check application { [ url url_string ] | timeout seconds }

Syntax Description

url url_string

(Optional.) Specifies the URL to use when polling the application. If you do not specify a URL, the default URL is used. The default URL is http://gs.scansafe.net/goldStandard?type=text&amp;size=10.

Specify a URL only if instructed to do so by Cisco Cloud Web Security.

timeout seconds

Specifies how long the ASA waits after sending a GET request for the health check URL to get a response. The ASA retries the request after the timeout up to the retry limit for polling the server before marking the server as down and initiating failover. The default is 15 seconds, the range is 5-120 seconds.

Command Default

Health checking is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Scansafe general-options configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

This command was added.

Usage Guidelines

When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web Security proxy server and backup proxy server. These servers are routinely polled to check for their availability. If your ASA is unable to reach the Cloud Web Security proxy server (for example, if no SYN/ACK packets arrive from the proxy server), then the proxy server is polled through a TCP three-way handshake to check its availability. If the proxy server is unavailable after a configured number of retries (the default is five), the server is declared as unreachable, and the backup proxy server becomes active.

You can further refine failover by checking the health of the Cloud Web Security application. In some cases, the server can complete the TCP three-way handshake, yet the Cloud Web Security application on the server is not functioning correctly. If you enable application health checking, the system can fail over to the backup server even if the three-way handshake completes, if the application itself does not respond. This provides a more reliable failover setup. Use the health-check application command to enable this extra check.

Health checking involves sending a GET request with a test URL to the Cloud Web Security application. Failure to respond within the configured timeout and retry limits marks the server as down, and the system initiates failover. The backup server is also tested to ensure that it is functioning correctly before it is marked as the active server. After failover, the application on the primary server is retested every 30 seconds until it comes back online and can be marked the active server again.

The ASA automatically falls back to the primary Cloud Web Security proxy server from the backup server after continued polling shows that the primary server is active for two consecutive retry count periods. You can change this polling interval using the retry-count command.

Examples

The following example configures a primary and backup server and enables health checking using the default URL and timeout. You must enter the health-check application command separately to enable health checking and to set a non-default timeout.


scansafe general-options
 server primary ip 10.24.0.62 port 8080
 server backup ip 10.10.0.7 port 8080
 health-check application 
 retry-count 7
 license 366C1D3F5CE67D33D3E9ACEC265261E5

health-check auto-rejoin

To customize the auto-rejoin cluster settings after a health check failure, use the health-check auto-rejoin command in cluster group configuration mode. To restore the default values, use the no form of this command.

health-check { data-interface | cluster-interface | system } auto-rejoin { unlimited | auto_rejoin_max } [ auto_rejoin_interval [ auto_rejoin_interval_variation ] ]

no health-check { data-interface | cluster-interface | system } auto-rejoin [ { unlimited | auto_rejoin_max } [ auto_rejoin_interval [ auto_rejoin_interval_variation ] ] ]

Syntax Description

auto_rejoin_interval

(Optional) Defines the interval duration in minutes between rejoin attempts, between 2 and 60. The default value is 5 minutes. The maximum total time that the unit attempts to rejoin the cluster is limited to 14400 minutes (10 days) from the time of last failure.

auto_rejoin_interval_variation

(Optional) Defines if the interval duration increases, between 1 and 3:

  • 1 —No change

  • 2 —2 x the previous duration

  • 3 —3 x the previous duration.

For example, if you set the interval duration to 5 minutes, and set the variation to 2 , then the first attempt is after 5 minutes; the 2nd attempt is 10 minutes (2 x 5); the 3rd attempt 20 minutes (2 x 10), and so on. The default value is 1 for the cluster-interface and 2 for the data-interface and system.

auto_rejoin_max

Defines the number of attempts at rejoining the cluster, between 0 and 65535. 0 disables auto-rejoining. The default value is unlimited for the cluster-interface and 3 for the data-interface and system.

cluster-interface

Sets the auto-rejoin settings for the cluster control link.

data-interface

Sets the auto-rejoin settings for data interfaces.

system

Sets the auto-rejoin settings for internal errors for the system. Internal failures include: application sync timeout; inconsistent application statuses; and so on.

unlimited

Sets the number of attempts at rejoining the cluster to unlimited, the default for the cluster-interface.

Command Default

  • The cluster auto-rejoin feature for a failed cluster control link is unlimited attempts every 5 minutes.

  • The cluster auto-rejoin feature for a failed data interface is 3 attempts every 5 minutes, with the increasing interval set to 2.

  • The cluster auto-rejoin feature for an internal system error is 3 attempts every 5 minutes, with the increasing interval set to 2.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Cluster group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.9(2)

Added the system keyword.

9.5(1)

This command was added.

Usage Guidelines

This command lets you customize the auto-rejoin options to suit your network conditions.

Examples

The following example configures 10 rejoin attempts for both interface types. For data interfaces, the rejoin interval is 10 minutes, with an interval duration increase of 3 x the interval. for the cluster control link, the rejoin interval is 7 minutes, with an interval duration increase of 2 x the interval.


ciscoasa(config)# cluster group pod1
ciscoasa(cfg-cluster)# local-unit unit1
ciscoasa(cfg-cluster)# cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0
ciscoasa(cfg-cluster)# site-id 1
ciscoasa(cfg-cluster)# health-check data-interface auto-rejoin 10 10 3
ciscoasa(cfg-cluster)# health-check cluster-interface auto-rejoin 10 7 2
ciscoasa(cfg-cluster)# priority 1
ciscoasa(cfg-cluster)# key chuntheunavoidable
ciscoasa(cfg-cluster)# enable noconfirm

health-check chassis-heartbeat-delay-rejoin

To set the chassis rejoin to match the health-check system auto-rejoin command for chassis heartbeat failures, use the health-check chassis-heartbeat-delay-rejoin command in cluster group configuration mode. To have the chassis rejoin immediately, use the no form of this command.

health-check chassis-heartbeat-delay-rejoin

no health-check chassis-heartbeat-delay-rejoin

Syntax Description

This command has no arguments or keywords.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Cluster group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.20(2)

This command was added.

Usage Guidelines

By default, if the chassis heartbeat fails and then recovers, the node rejoins the cluster immediately. However, if you configure the health-check chassis-heartbeat-delay-rejoin command, it will rejoin according to the settings of the health-check system auto-rejoin command.

Examples

The following example configures the health-check system auto-rejoin and then enables use of those settings for the chassis heartbeat rejoin.


ciscoasa(config)# cluster group pod1
ciscoasa(cfg-cluster)# local-unit unit1
ciscoasa(cfg-cluster)# cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0
ciscoasa(cfg-cluster)# site-id 1
ciscoasa(cfg-cluster)# health-check system auto-rejoin 10 10 3
ciscoasa(cfg-cluster)# health-check chassis-heartbeat-delay-rejoin
ciscoasa(cfg-cluster)# priority 1
ciscoasa(cfg-cluster)# key chuntheunavoidable
ciscoasa(cfg-cluster)# enable noconfirm

health-check monitor-interface

To monitor interfaces, use the health-check monitor-interface command in cluster group configuration mode. To disable monitoring, use the no form of this command.

health-check monitor-interface { interface_id | service-module | service-application | debounce-time }

no health-check monitor-interface { interface_id | service-module | service-application | debounce-time }

Syntax Description

interface_id

Enables monitoring on interfaces. You can specify any port-channel ID, redundant ID, or single physical interface ID. Health monitoring is not performed on VLAN subinterfaces or virtual interfaces such as VNIs or BVIs. You cannot configure monitoring for the cluster control link; it is always monitored.

service-application

Enables monitoring of the decorator application on the Firepower 4100/9300.

service-module

Enables monitoring of a software or hardware module on ASA hardware models, such as the ASA FirePOWER module.

debounce-time

Configures the debounce time before the ASA removes a failed interface. Set the debounce time between 300 and 9000 ms. The default is 500 ms. Lower values allow for faster detection of interface failures. Note that configuring a lower debounce time increases the chances of false-positives. When an interface status update occurs, the ASA waits the number of milliseconds specified before removing the interface. In the case of an EtherChannel that transitions from a down state to an up state (for example, the switch reloaded, or the switch enabled an EtherChannel), a longer debounce time can prevent the interface from appearing to be failed on a cluster unit just because another cluster unit was faster at bundling the ports.

Command Default

Interface health monitoring is enabled on all interfaces by default.

The debounce time is 500 ms.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Cluster group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.4(1)

This command was added.

9.5(1)

The service-module keyword was added.

9.6(1)

The service-application keyword was added.

9.8(1)

The debounce-time keyword was added for the Firepower 4100/9300.

9.9(2)

The debounce-time keyword was added for ASA appliances.

9.10(1)

The debounce-time keyword now applies to interfaces changing from a down state to an up state.

Usage Guidelines

When any topology changes occur (such as adding or removing a data interface, enabling or disabling an interface on the ASA or the switch, or adding an additional switch to form a VSS or vPC) you should disable the health check feature (no health-check ) and also disable interface monitoring for the disabled interfaces (no health-check monitor-interface ). When the topology change is complete, and the configuration change is synced to all units, you can re-enable the health check feature.

Interface status messages detect link failure. If an interface fails on a particular unit, but the same interface is active on other units, then the unit is removed from the cluster.

If a unit does not receive interface status messages within the holdtime, then the amount of time before the ASA removes a member from the cluster depends on the type of interface and whether the unit is an established member or is joining the cluster. For EtherChannels (spanned or not), if the interface is down on an established member, then the ASA removes the member after 9 seconds. If the unit is joining the cluster as a new member, the ASA waits 45 seconds before rejecting the new unit. For non-EtherChannels, the unit is removed after 500 ms, regardless of the member state.

This command is not part of the bootstrap configuration, and is replicated from the master unit to the slave units.

Examples

The following example disables the health check:


ciscoasa(config)# cluster group cluster1
ciscoasa(cfg-cluster)# no health-check monitor-interface ethernet1/1

hello-interval

To specify the interval between EIGRP hello packets sent on an interface, use the hello-interval command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.

hello-interval eigrp as-number seconds

no hello-interval eigrp as-number seconds

Syntax Description

as-number

Specifies the autonomous system number of the EIGRP routing process.

seconds

Specifies the interval between hello packets that are sent on the interface. Valid values are from 1 to 65535 seconds.

Command Default

The default is 5 seconds.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will occur. This value must be the same for all routers and access servers on a specific network.

Examples

The following example sets the EIGRP hello interval to 10 seconds and the hold time to 30 seconds:


ciscoasa(config-if)# hello-interval eigrp 100 10
ciscoasa(config-if)# hold-time eigrp 100 30

hello padding multi-point

To enable IS-IS hello padding at the router level, enter the hello padding multi-point command in router isis configuration mode. To disable IS-IS hello padding, use the no form of this command.

hello padding multi-point

no hello padding multi-point

Syntax Description

This command has no arguments or keywords.

Command Default

Hello padding is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(1)

This command was added.

Usage Guidelines

This command enables IS-IS hellos to be padded to the full maximum transmission unit (MTU) size. The benefit of padding IS-IS hellos to the full MTU is that it allows for early detection of errors that result from transmission problems with large frames or errors that result from mismatched MTUs on adjacent interfaces.

You can disable hello padding to avoid wasting network bandwidth in case the MTU of both interfaces is the same, or in case of translational bridging. While hello padding is disabled, the ASAs still send the first five IS-IS hellos padded to the full MTU size to maintain the benefits of discovering MTU mismatches.

To disable hello padding for all interfaces on an ASA for the IS-IS routing process, enter the no hello padding multi-point command in router configuration mode. To selectively disable hello padding for a specific interface, enter the no isis hello padding command in interface configuration mode.

Examples

In the following example the no hello padding multi-point command is used to turn off hello padding at the router level:


ciscoasa(config)# router isis
ciscoasa(config-router)# hello padding multi-point

help

To display help information for the command specified, use the help command in user EXEC mode.

help { command | ? }

Syntax Description

?

Displays all commands that are available in the current privilege level and mode.

command

Specifies the command for which to display the CLI help.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

User EXEC

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The help command displays help information about all commands. You can see help for an individual command by entering the help command followed by the command name. If you do not specify a command name and enter ? instead, all commands that are available in the current privilege level and mode display.

If you enable the pager command and after 24 lines display, the listing pauses, and the following prompt appears:


<--- More --->

The More prompt uses syntax similar to the UNIX more command as follows:

  • To see another screen of text, press the Space bar.

  • To see the next line, press the Enter key.

  • To return to the command line, press the q key.

Examples

The following example shows how to display help for the rename command:


ciscoasa
# 
help rename
USAGE:
        rename /noconfirm [{disk0:|disk1:|flash:}] <source path> [{disk0:|disk1:
|flash:}] <destination path>
DESCRIPTION:
rename          Rename a file
SYNTAX:
/noconfirm                      No confirmation
{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem
<source path>           Source file path
<destination path>      Destination file path
ciscoasa
#

The following examples shows how to display help by entering the command name and a question mark:


ciscoasa(config)# enable ?
usage: enable password <pwd> [encrypted]

Help is available for the core commands (not the show, no, or clear commands) by entering ? at the command prompt:


ciscoasa(config)# ?
aaa                                                                                          Enable, disable, or view TACACS+ or RADIUS
                                                                                                                user authentication, authorization and accounting
...

hidden-parameter

To specify hidden parameters in the HTTP POST request that the ASA submits to the authenticating web server for SSO authentication, use the hidden-parameter command in aaa-server-host configuration mode. To remove all hidden parameters from the running configuration, use the no form of this command.

hidden-parameterstring

nohidden-parameter


Note


To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of authentication and HTTP protocol exchanges.

Syntax Description

string

A hidden parameter embedded in the form and sent to the SSO server. You can enter it on multiple lines. The maximum number of characters for each line is 255. The maximum number of characters for all lines together—the complete hidden parameter—is 2048.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Aaa-server-host configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

This is an SSO with HTTP Forms command.

The WebVPN server of the ASA uses an HTTP POST request to submit an SSO authentication request to an authenticating web server. That request may require specific hidden parameters from the SSO HTML form—other then username and password—that are not visible to the user. You can discover hidden parameters that the web server expects in the POST request by using a HTTP header analyzer on a form received from the web server.

The hidden-parameter command lets you specify a hidden parameter that the web server requires in the authentication POST request. If you use a header analyzer, you can copy and paste the entire hidden parameter string, including any encoded URL parameters.

For ease of entry, you can enter a hidden parameter on multiple, sequential lines. The ASA then concatenates the lines into a single hidden parameter. While the maximum characters per hidden-parameter line is 255 characters, you can enter fewer characters on each line.


Note


Any question mark in the string must be preceded by a Ctrl+v escape sequence.

Examples

The following example shows a hidden parameter comprised of four form entries and their values, separated by &. Excerpted from the POST request, the four entries and their values are:

  • SMENC with a value of ISO-8859-1

  • SMLOCALE with a value of US-EN

  • target with a value of https%3A%2F%2Ftools.cisco.com%2Femco%2Fappdir%2FAreaRoot.do

%3FEMCOPageCode%3DENG

  • smauthreason with a value of 0

SMENC=ISO-8859-1&SMLOCALE=US-EN&target=https%3A%2F%2Ftools.cisco.com%2Femco%2Fappdir%2FAreaRoot.do%3FEMCOPageCode%3DENG&smauthreason=0


ciscoasa(config)# aaa-server testgrp1 host example.com
ciscoasa(config-aaa-server-host)# hidden-parameter SMENC=ISO-8859-1&SMLOCALE=US-EN&targe
ciscoasa(config-aaa-server-host)# hidden-parameter t=https%3A%2F%2Ftools.cisco.com%2Femc
ciscoasa(config-aaa-server-host)# hidden-parameter o%2Fappdir%2FAreaRoot.do%3FEMCOPageCo
ciscoasa(config-aaa-server-host)# hidden-parameter de%3DENG&smauthreason=0
ciscoasa(config-aaa-server-host)# 

hidden-shares

To control the visibility of hidden shares for CIFS files, use the hidden-shares command in group-webvpn configuration mode. To remove the hidden shares option from the configuration, use the no form of this command.

hidden-shares { none | visible }

[ no ] hidden-shares { none | visible }

Syntax Description

none

Specifies that no configured hidden shares are visible or accessible to users.

visible

Reveals hidden shares, making them accessible to users.

Command Default

The default behavior for this command is none.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-webvpn configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

A hidden share is identified by a dollar sign ($) at the end of the share name. For example, drive C is shared as C$. With hidden shares, a shared folder is not displayed, and users are restricted from browsing or accessing these hidden resources.

The no form of the hidden-shares command removes the option from the configuration and disables hidden shares as a group policy attribute.

Examples

The following example makes visible WebVPN CIFS hidden-shares related to GroupPolicy2:


ciscoasa(config)# webvpn
ciscoasa(config-group-policy)# group-policy GroupPolicy2 attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# hidden-shares visible
ciscoasa(config-group-webvpn)#

hold-time

To specify the hold time advertised by the ASA in EIGRP hello packets, use the hold-time command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.

hold-time eigrp as-number seconds

no hold-time eigrp as-number seconds

Syntax Description

as-number

The autonomous system number of the EIGRP routing process.

seconds

Specifies the hold time, in seconds. Valid values are from 1 to 65535 seconds.

Command Default

The default is 15 seconds.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

This value is advertised in the EIGRP hello packets sent by the ASA. The EIGRP neighbors on that interface use this value to determine the availability of the ASA. If they do not receive a hello packet from the ASA during the advertised hold time, the EIGRP neighbors will consider the ASA to be unavailable.

On very congested and large networks, the default hold time might not be sufficient time for all routers and access servers to receive hello packets from their neighbors. In this case, you may want to increase the hold time.

We recommend that the hold time be at least three times the hello interval. If the ASA does not receive a hello packet within the specified hold time, routes through this neighbor are considered unavailable.

Increasing the hold time delays route convergence across the network.

Examples

The following example sets the EIGRP hello interval to 10 seconds and the hold time to 30 seconds:


ciscoasa(config-if)# hello-interval eigrp 100 10
ciscoasa(config-if)# hold-time eigrp 100 30

homepage

To specify a URL for the web page that displays upon login for this WebVPN user or group policy, use the homepage command in webvpn configuration mode. To remove a configured home page, including a null value created by issuing the homepage none command, use the no form of this command.

homepage { value url-string | none }

no homepage

Syntax Description

none

Indicates that there is no WebVPN home page. Sets a null value, thereby disallowing a home page. Prevents inheriting a home page.

value url-string

Provides a URL for the home page. The string must begin with either http:// or https://.

Command Default

There is no default home page.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

To specify a home page URL for users associated with the group policy, enter a value for the URL string in this command. To inherit a home page from the default group policy, use the no form of the comand. The no option allows inheritance of a value from another group policy. To prevent inheriting a home page, use the homepage none command.

Clientless users are immediately brought to this page after successful authentication. Secure Client launches the default web browser to this URL upon successful establishment of the VPN connection. On Linux platforms, Secure Client does not currently support this command and ignores it.

Examples

The following example shows how to specify www.example.com as the home page for the group policy named FirstGroup:


ciscoasa
(config)#
 group-policy FirstGroup attributes
ciscoasa
(config-group-policy)#
 webvpn
ciscoasa(config-group-webvpn)# homepage value http://www.example.com

homepage use-smart-tunnel

To allow the group policy home page to use the smart tunnel feature when clientless SSL VPN is used, use the homepage use-smart-tunnel command in the group-policy webvpn configuration mode.

homepage { value url-string | none }

homepage use-smart-tunnel

Syntax Description

none

Indicates that there is no WebVPN home page. Sets a null value, thereby disallowing a home page. Prevents inheriting a home page.

value url-string

Provides a URL for the home page. The string must begin with either http:// or https://.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

8.3(1)

This command was added.

Usage Guidelines

You can use the HTTP capture tool to monitor the browser session and verify that the smart tunnel was initiated during the WebVPN connection. What you see in the browser capture determines whether the request is forwarded to the web page without degradation and whether the smart tunnel is used. If you see something like https://172.16.16.23/+CSCOE+portal.html, the +CSCO* indicates that the content is degraded by the ASA. When the smart tunnel is initiated, you see an http get command to a specific URL without the +CSCO* (such as GET 200 html http://mypage.example.com).

Examples

If you consider a case where Vendor V wants to provide Partner P with clientless access to their internal inventory server pages, Vendor V’s administrator must decide the following:

  • Will users have access to the inventory pages after they log into a clientless SSL VPN, whether or not they go through the clientless portal?

  • Will the smart tunnel be a good choice for access because the page includes a Microsoft Silverlight component?

  • Is a tunnel-all policy suitable because once the browser has been tunneled, all tunnel policy forces all browser traffic to go through Vendor V’s ASA, leaving Partner P’s users with no access to internal resources?

With the assumption that inventory pages are hosted at inv.example.com (10.0.0.0), the following example creates a tunnel policy that contains only one host:


ciscoasa(config-webvpn)# smart-tunnel network inventory ip 10.0.0.0
ciscoasa(config-webvpn)# smart-tunnel network inventory host inv.example.com

The following example applies a tunnel-specified tunnel policy to the partner’s group policy:


ciscoasa(config-group-webvpn)# smart-tunnel tunnel-policy tunnelspecified inventory

The following example specifies the group policy home page and enables a smart tunnel on it:


ciscoasa(config-group-webvpn)# homepage value http://inv.example.com
ciscoasa(config-group-webvpn)# homepage use-smart-tunnel

host (network object)

To configure a host for a network object, use the host command in object network configuration mode. To remove the host from the object, use the no form of this command.

hostip_address

no host ip_address

Syntax Description

ip_address

Identifies the host IP address for the object, either IPv4 or IPv6.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Object configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.3(1)

This command was added.

Usage Guidelines

If you configure an existing network object with a different IP address, the new configuration will replace the existing configuration.

Examples

The following example shows how to create a host network object:


ciscoasa (config)# object network OBJECT1
ciscoasa (config-network-object)# host 10.1.1.1

host (parameters)

To specify a host to interact with using RADIUS accounting, use the host command in radius-accounting parameter configuration mode, which is accessed by using the parameters command in the policy-map type inspect radius-accounting submode. To disable the specified host, use the no form of this command.

host address [ key secret ]

no host address [ key secret ]

Syntax Description

host

Specifies a single endpoint sending the RADIUS accounting messages.

address

The IP address of the client or server sending the RADIUS accounting messages.

key

Optional keyword to specify the secret of the endpoint sending the gratuitous copy of the accounting messages.

secret

The shared secret key of the endpoint sending the accounting messages used to validate the messages. This can be up to 128 alphanumeric characters.

Command Default

The no option is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Radius-accounting parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

Multiple instances of this command are allowed.

Examples

The following example shows how to specify a host with RADIUS accounting:


ciscoasa(config)# policy-map type inspect radius-accounting ra
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# host 209.165.202.128 key cisco123

hostname

To set the ASA hostname, use the hostname command in global configuration mode. To restore the default hostname, use the no form of this command.

hostnamename

no hostname [ name ]

Syntax Description

name

Specifies a hostname up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.

Command Default

The default hostname depends on your platform.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple