Any way to force a disconnect for a client VPN connection?

sealyc
Conversationalist

Any way to force a disconnect for a client VPN connection?

I hope I am not being dense. The way I understand connections through the MX is once a connection is made it is kept alive until one end drops the connection. Is there anyway to force the drop from the MX end other than disconnecting the WAN?

 

For instance, a user has their VPN connection active through the MX and I want to disconnect them from my side. Say a user is being terminated or a malicious entity has somehow gotten in through one of the connected clients. Is there anyway to drop their traffic?

 

I tried through a Layer 3 rule, denying traffic from their IP, but the session was already connected and the endpoint still showed traffic. Luckily this time it was a test.

 

Thanks for any light you can shine...

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't think you can.

mmmmmmark
Building a reputation

I've tested this just now and it works, if you goto the devices, find their device and give them the policy of blocked, it will leave them connected to the VPN but they won't be able to actually do anything.

The only way I can think of would be reboot the MX unit which is a really drastic approach. You could also disable VPN and then re-enable it I suppose. 

 

Being able to kill a connection should be a feature, I suggest you use the make a wish feature. I'll do the same as well. 

Thank you, yes, I can't imagine I am the first person to think of this, perhaps it is innate to all firewalls?

sealyc
Conversationalist

Thank you, this was my thought as well. I am glad you were able to test it.

That is exactly what I was thinking (With adding the "Block" Policy), but as for security concerns, you would think Meraki would be able to click on a client and disconnect that VPN connection from the MX. 

Marcel_Smal
Comes here often

Is this still an issue?

 

So you cant force a vpn user to disconnect when they made a connection?

JasonUMCES
New here

Bumping this. I'd like to be able to manually disconnect users.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels