02-27-2020 12:19 AM
The timeout setting for a VPN group is 1 minute.
vpn-idle-timeout 1
However, even after one minute, the VPN will never be disconnected.
What configuration do need?
Solved! Go to Solution.
02-29-2020 12:17 AM - edited 02-29-2020 12:20 AM
Hi,
Yes, session timeout will terminate VPN session as per the minutes you set. As per the config Idle timeout of VPN is set to 1 min and your are facing issue that VPN is not getting disconnected after 1 min right...??
Did you check the inactivity time of a anyconnect user "sh vpn-sessiondb anyconnect filter name XXXX"
If the inactivity reaches 1 min then VPN will get disconnected.
#sh vpn-sessiondb anyconnect filter name abheesh
Session Type: AnyConnect
Username : abheesh Index : 2789
Assigned IP : XX.XX.XX.XX Public IP : XX.XX.XX.XX
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 216584 Bytes Rx : 96473
Group Policy : XX.XX.XX.XX-POLICY
Tunnel Group : XX.XX.XX.XX-PROFILE
Login Time : 11:17:58 QA Sat Feb 29 2020
Duration : 0h:00m:40s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Security Grp : none
Hope This Helps
Abheesh
02-29-2020 01:44 AM
Hi I have just test this. even though i set my idel-timeout 1. but it took anyconnect to discounted in 3minutes. what i noted is you have to make sure the anyconnect which is install on the machine is not sending/receiving any traffic at all. which mean the machine need to be in silent mode in order to not sending any noise toward anyconnect. if it is sending receving traffic it wound not discount from ASA.
02-27-2020 12:26 AM
Is this anyconnect or for site-to-site vpn?
02-27-2020 12:31 AM
02-27-2020 12:44 AM
Hi,
Try adding vpn-session-timeout value under group policy and check.
Hope This Helps
Abheesh
02-27-2020 12:56 AM
02-27-2020 12:50 AM
here vpn-session-timeout 1 value under group policy and test it
02-27-2020 12:57 AM
02-27-2020 01:03 AM
okay try change the default-group idle-timout
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1
02-27-2020 01:19 AM
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1
group-policy GroupPolicy_VPN_IMSI internal
group-policy GroupPolicy_VPN_IMSI attributes
wins-server none
vpn-idle-timeout 1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_IMSI_Tunnel
webvpn
anyconnect profiles value VPN_IMSI type user
After setting the monitor for 5 minutes, the VPN cannot be disconnected.
02-29-2020 01:44 AM
Hi I have just test this. even though i set my idel-timeout 1. but it took anyconnect to discounted in 3minutes. what i noted is you have to make sure the anyconnect which is install on the machine is not sending/receiving any traffic at all. which mean the machine need to be in silent mode in order to not sending any noise toward anyconnect. if it is sending receving traffic it wound not discount from ASA.
02-27-2020 01:06 AM
Hi, Change like below and test.
group-policy GroupPolicy_VPN_IMSI internal
group-policy GroupPolicy_VPN_IMSI attributes
wins-server none
vpn-idle-timeout 1
vpn-session-timeout 1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_IMSI_Tunnel
Hope This Helps
Abheesh
02-27-2020 01:13 AM
02-29-2020 12:17 AM - edited 02-29-2020 12:20 AM
Hi,
Yes, session timeout will terminate VPN session as per the minutes you set. As per the config Idle timeout of VPN is set to 1 min and your are facing issue that VPN is not getting disconnected after 1 min right...??
Did you check the inactivity time of a anyconnect user "sh vpn-sessiondb anyconnect filter name XXXX"
If the inactivity reaches 1 min then VPN will get disconnected.
#sh vpn-sessiondb anyconnect filter name abheesh
Session Type: AnyConnect
Username : abheesh Index : 2789
Assigned IP : XX.XX.XX.XX Public IP : XX.XX.XX.XX
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 216584 Bytes Rx : 96473
Group Policy : XX.XX.XX.XX-POLICY
Tunnel Group : XX.XX.XX.XX-PROFILE
Login Time : 11:17:58 QA Sat Feb 29 2020
Duration : 0h:00m:40s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Security Grp : none
Hope This Helps
Abheesh
02-29-2020 12:37 AM
02-29-2020 12:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide