6-18
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
Guidelines for Cisco TrustSec
Example:
hostname(config)# cts sxp default password 8 IDFW-TrustSec-99
Configuring an encryption level for the password is optional. If you configure an encryption level, you
can only set one level:
•
Level 0—unencrypted cleartext
•
Level 8—encrypted text
The
password
argument specifies an encrypted string of up to 162 characters or an ASCII key string up
to 80 characters.
Step 4
Specify the default time interval between ASA attempts to set up new SXP connections between SXP
peers.
cts
sxp
retry
period
timervalue
Example:
hostname(config)#
cts sxp retry period 60
The ASA continues to make connection attempts until a successful connection is made. The retry timer
is triggered as long as there is one SXP connection on the ASA that is not up.
The
timervalue
argument ranges from 0 to 64000 seconds. The default
is 120 seconds. If you specify 0
seconds, the timer never expires and the ASA does not try to connect to SXP peers.
When the retry timer expires, the ASA goes through the connection database and if the database contains
any connections that are off or in a “pending on” state, the ASA restarts the retry timer.
We recommend that you configure the retry timer to a different value from its SXP peer devices.
Step 5
Specify the value of the default reconcile timer.
cts
sxp
reconciliation
period
timervalue
Example:
hostname(config)#
cts sxp reconciliation period 60
After an SXP peer terminates its SXP connection, the ASA starts a hold-down timer.
If an SXP peer connects while the hold-down timer is running, the ASA starts the reconcile timer; then
the ASA updates the SXP mapping database to learn the latest mapping.
When the reconcile timer expires, the ASA scans the SXP mapping database to identify stale mapping
entries (which were learned in a previous connection session). The ASA marks these connections as
obsolete. When the reconcile timer expires, the ASA removes the obsolete entries from the SXP mapping
database.
The
timervalue
argument ranges from 1 to 64000 seconds. The default
is 120 seconds.
You cannot specify 0 seconds for the timer, because this value prevents the reconcile timer from starting.
Not allowing the reconcile timer to run would keep stale entries for an undefined time and cause
unexpected results from policy enforcement.
Examples
The following example shows how to set default values for SXP:
hostname(config)#
cts sxp enable
hostname(config)#
cts sxp default source-ip 192.168.1.100
hostname(config)#
cts sxp default password 8 ********
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......