cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

618
Views
0
Helpful
19
Replies
Highlighted
Beginner

vpn-idle-timeout 1, VPN will never be disconnected.

The timeout setting for a VPN group is 1 minute.

vpn-idle-timeout 1

However, even after one minute, the VPN will never be disconnected.

What configuration do need?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Rising star

Re: vpn-idle-timeout 1, VPN will never be disconnected.

Hi,

Yes, session timeout will terminate VPN session as per the minutes you set. As per the config Idle timeout of VPN is set to 1 min and your are facing issue that VPN is not getting disconnected after 1 min right...??

Did you check the inactivity time of a anyconnect user  "sh vpn-sessiondb anyconnect filter name XXXX" 

If the inactivity reaches 1 min then VPN will get disconnected.  

#sh vpn-sessiondb anyconnect filter name abheesh

Session Type: AnyConnect

Username : abheesh Index : 2789
Assigned IP : XX.XX.XX.XX Public IP : XX.XX.XX.XX
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 216584 Bytes Rx : 96473
Group Policy : XX.XX.XX.XX-POLICY
Tunnel Group : XX.XX.XX.XX-PROFILE
Login Time : 11:17:58 QA Sat Feb 29 2020
Duration : 0h:00m:40s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Security Grp : none

Hope This Helps

Abheesh

View solution in original post

Highlighted
VIP Engager

Re: vpn-idle-timeout 1, VPN will never be disconnected.

Hi I have just test this. even though i set my idel-timeout 1. but it took anyconnect to discounted in 3minutes. what i noted is you have to make sure the anyconnect which is install on the machine is not sending/receiving any traffic at all. which mean the machine need to be in silent mode in order to not sending any noise toward anyconnect. if it is sending receving traffic it wound not discount from ASA.

 

110.PNG

please do not forget to rate.

View solution in original post

19 REPLIES 19
Highlighted
VIP Engager

Re: vpn-idle-timeout 1, VPN will never be disconnected.

Is this anyconnect or for site-to-site vpn?

please do not forget to rate.
Highlighted
Beginner

Re: vpn-idle-timeout 1, VPN will never be disconnected.

remote vpn, anyconnect
Highlighted
VIP Rising star

Re: vpn-idle-timeout 1, VPN will never be disconnected.

Hi,
Try adding vpn-session-timeout value under group policy and check.

Hope This Helps

Abheesh

Highlighted
Beginner

Re: vpn-idle-timeout 1, VPN will never be disconnected.

I added a config and tried the test several times.
But VPN don't disconnect.

VPN-ASA-IMSI# sh run group-policy
group-policy GroupPolicy_VPN_IMSI internal
group-policy GroupPolicy_VPN_IMSI attributes
wins-server none
vpn-idle-timeout 1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_IMSI_Tunnel
webvpn
anyconnect profiles value VPN_IMSI type user
Highlighted
VIP Engager

Re: vpn-idle-timeout 1, VPN will never be disconnected.

here vpn-session-timeout 1 value under group policy and test it

please do not forget to rate.
Highlighted
Beginner

Re: vpn-idle-timeout 1, VPN will never be disconnected.

I added a config and tried the test several times.
But VPN don't disconnect.

VPN-ASA-IMSI# sh run group-policy
group-policy GroupPolicy_VPN_IMSI internal
group-policy GroupPolicy_VPN_IMSI attributes
wins-server none
vpn-idle-timeout 1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_IMSI_Tunnel
webvpn
anyconnect profiles value VPN_IMSI type user
Highlighted
VIP Engager

Re: vpn-idle-timeout 1, VPN will never be disconnected.

okay try change the default-group idle-timout

 

group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1

please do not forget to rate.
Highlighted
Beginner

Re: vpn-idle-timeout 1, VPN will never be disconnected.

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout 1
group-policy GroupPolicy_VPN_IMSI internal
group-policy GroupPolicy_VPN_IMSI attributes
 wins-server none
 vpn-idle-timeout 1
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_IMSI_Tunnel
 webvpn
  anyconnect profiles value VPN_IMSI type user

 

After setting the monitor for 5 minutes, the VPN cannot be disconnected.

Highlighted
VIP Engager

Re: vpn-idle-timeout 1, VPN will never be disconnected.

Hi I have just test this. even though i set my idel-timeout 1. but it took anyconnect to discounted in 3minutes. what i noted is you have to make sure the anyconnect which is install on the machine is not sending/receiving any traffic at all. which mean the machine need to be in silent mode in order to not sending any noise toward anyconnect. if it is sending receving traffic it wound not discount from ASA.

 

110.PNG

please do not forget to rate.

View solution in original post

Highlighted
VIP Rising star

Re: vpn-idle-timeout 1, VPN will never be disconnected.

Hi, Change like below and test.

group-policy GroupPolicy_VPN_IMSI internal
group-policy GroupPolicy_VPN_IMSI attributes
wins-server none
vpn-idle-timeout 1
vpn-session-timeout 1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_IMSI_Tunnel

Hope This Helps

Abheesh

Highlighted
Beginner

Re: vpn-idle-timeout 1, VPN will never be disconnected.

session-timeout : disconnects even when a tunnel is in use.
I'm right ??
I want to disconnect the VPN when not in use.
Highlighted
VIP Rising star

Re: vpn-idle-timeout 1, VPN will never be disconnected.

Hi,

Yes, session timeout will terminate VPN session as per the minutes you set. As per the config Idle timeout of VPN is set to 1 min and your are facing issue that VPN is not getting disconnected after 1 min right...??

Did you check the inactivity time of a anyconnect user  "sh vpn-sessiondb anyconnect filter name XXXX" 

If the inactivity reaches 1 min then VPN will get disconnected.  

#sh vpn-sessiondb anyconnect filter name abheesh

Session Type: AnyConnect

Username : abheesh Index : 2789
Assigned IP : XX.XX.XX.XX Public IP : XX.XX.XX.XX
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 216584 Bytes Rx : 96473
Group Policy : XX.XX.XX.XX-POLICY
Tunnel Group : XX.XX.XX.XX-PROFILE
Login Time : 11:17:58 QA Sat Feb 29 2020
Duration : 0h:00m:40s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Security Grp : none

Hope This Helps

Abheesh

View solution in original post

Highlighted
Beginner

Re: vpn-idle-timeout 1, VPN will never be disconnected.

You're right. I finished all the Windows processes with VPN connected and monitored without doing anything. No solution?
Highlighted
VIP Rising star

Re: vpn-idle-timeout 1, VPN will never be disconnected.

can you share the output of "sh vpn-sessiondb anyconnect filter name XXXX"