ASA: No VPN Timeout if No Group-Policy configured?

Dean Romanelli · ‎03-24-2015

Hi All,

If I don't have a group-policy configured & applied to my tunnel-group in my ASA, does the VPN tunnel ever time out, or will it stay up infinitely?

I find that my sites where I have a group-policy configured and applied to my tunnel-group, the tunnel times out due to the default session & idle timeout values in the group policy and my SNMP system gets an alarm, but the sites where there are no group policies configured on the tunnel groups, I never get tunnel alarms.

I'm guessing this is because the Session disconnected log messages that trigger my SNMP system to alarm don't come through unless group policies are configured?

3/24/2015 9:05 AM : ASA-4-113019 Mar 24 2015 09:05:24 FWCore-VPN5510 : %ASA-4-113019: Group = 87.xxx.xx.55, Username = 87.xxx.xx.55, IP = 28.xxx.xxx.174, Session disconnected. Session Type: LAN-to-LAN, Duration: 6h:31m:49s, Bytes xmt: 503343396, Bytes rcv: 66693834, Reason: Idle Timeout.

Vibhor Amrodia · ‎03-24-2015

Hi,

Seems to be expected because of these values in the Default Group Policy:-

vpn-idle-timeout 30
vpn-session-timeout none

split-tunnel-policy tunnelall

Also , Note: When you have tunnel-all configured, you do not need to configure idle-timeout because, even if you configure VPN-idle timeout, it will not work because all traffic is going through the tunnel (since tunnel-all is configured). Therefore, the interesting traffic (or even the traffic generated by the PC) will be interesting and will not let Idle-timeout come into action.

Thanks and Regards,

Vibhor Amrodia