https://community.cisco.com/t5/network-security/exec-timeout-doesn-t-seem-to-work/m-p/2434656#M921982 <P>I've been having a devil of a time getting exec-timeout to clear idle vty/ssh sessions. This investigation started when we were rolling out new Catalyst 4507R+E switches with Sup7L-E's under IOS XE&nbsp;03.04.02.SG (what they shipped from the factory with.) Idle SSH sessions on the vty lines were not being cleared, despite the config being:</P><P>line vty 0 4<BR />&nbsp;access-class VTY_ACL in<BR />&nbsp;exec-timeout 30 0<BR />&nbsp;logging synchronous<BR />&nbsp;length 0<BR />&nbsp;transport input ssh</P><P>So I opened a TAC case, and eventually they referred to bug&nbsp;CSCug31122. This wasn't terribly satisfying, as we are not talking about new or revolutionary functionality, and a general distribution release on a mature platform. Clearing an idle session does not require the most sophisticated programmer at Cisco. But this led me to do more tests, and I have yet to find a hardware/IOS combination where this works correctly. So far I have failures for:</P><P>4507R+E/Sup7L-E/IOS&nbsp;XE&nbsp;03.04.02.SG, both vty and console lines</P><P>3560/12.2(40)SE, vty lines with ssh</P><P>3750/12.2(44)SE6, vty lines with both telnet and ssh</P><P>3845/12.4(24)T6</P><P>This seems more than coincidence. Is there something I am missing, or is this an unusually complicated programming issue?</P> Fri, 21 Feb 2020 13:07:26 GMT gkuzmowycz 2020-02-21T13:07:26Z https://community.cisco.com/t5/network-security/exec-timeout-doesn-t-seem-to-work/m-p/2434656#M921982 <P>I've been having a devil of a time getting exec-timeout to clear idle vty/ssh sessions. This investigation started when we were rolling out new Catalyst 4507R+E switches with Sup7L-E's under IOS XE&nbsp;03.04.02.SG (what they shipped from the factory with.) Idle SSH sessions on the vty lines were not being cleared, despite the config being:</P><P>line vty 0 4<BR />&nbsp;access-class VTY_ACL in<BR />&nbsp;exec-timeout 30 0<BR />&nbsp;logging synchronous<BR />&nbsp;length 0<BR />&nbsp;transport input ssh</P><P>So I opened a TAC case, and eventually they referred to bug&nbsp;CSCug31122. This wasn't terribly satisfying, as we are not talking about new or revolutionary functionality, and a general distribution release on a mature platform. Clearing an idle session does not require the most sophisticated programmer at Cisco. But this led me to do more tests, and I have yet to find a hardware/IOS combination where this works correctly. So far I have failures for:</P><P>4507R+E/Sup7L-E/IOS&nbsp;XE&nbsp;03.04.02.SG, both vty and console lines</P><P>3560/12.2(40)SE, vty lines with ssh</P><P>3750/12.2(44)SE6, vty lines with both telnet and ssh</P><P>3845/12.4(24)T6</P><P>This seems more than coincidence. Is there something I am missing, or is this an unusually complicated programming issue?</P> Fri, 21 Feb 2020 13:07:26 GMT https://community.cisco.com/t5/network-security/exec-timeout-doesn-t-seem-to-work/m-p/2434656#M921982 gkuzmowycz 2020-02-21T13:07:26Z