Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
2
Replies

Lock and key Timeout

Go to solution
lavella
Level 1
Level 1

‎10-25-2002 06:26 AM - edited ‎03-09-2019 12:49 AM

Hi,

We have a 3640 configured with Lock-and-key Security (Dynamic Access List)

Installed IOS is:c3640-is40-mz_120-2a.bin

Here a extract of the config:

aaa authentication login user tacacs+

access-list 158 dynamic coxa permit ip any any

access-list 158 permit tcp any host 172.16.1.1 eq telnet

interface Serial3/1.1 point-to-point

ip unnumbered Loopback199

ip access-group 158 in

bandwidth 512

frame-relay interface-dlci 19

!

line vty 0 1

login authentication user

autocommand access-enable host timeout 30

It seems that the idle timeout defined in autocommand config is never refreshed.

The users are getting disconnected after 30 minutes, even if they are doing interesting traffic.

In the same router we have also dialers.

Dynamic access lists are working well with dialer: dyn access lists disappear only after 30 min of inactivity (I have noticed it with the show access-lists command).

Is this a known bug or something else?

Thanks,

Eng. Leonardo Avella

CCNP Cisco Certified Network Professional

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
steve.barlow
Level 7
Level 7

‎10-25-2002 09:38 AM

Idle timeout works on the access-enable command like you have it and the absolute timeout (the max time limit for each entry within this dynamic list) works on the access-list (eg access-list 101 dynamic test timeout 6 permit ip any any).

Try:

line VTY 0 4

autocommand access-enable timeout 5 (remove the host keyword)

If that doesn't work:

-use login local, do they get disconnected?

-don't put any timeout (default is no timeout - connected indefinitely until manually cleared - for testing only), do they still get disconnected?

As a side note sounds similar to a bug for the as5300: CSCdu30577

Hope it helps.

Steve

View solution in original post

0 Helpful
2 Replies 2

Go to solution
steve.barlow
Level 7
Level 7

‎10-25-2002 09:38 AM

Idle timeout works on the access-enable command like you have it and the absolute timeout (the max time limit for each entry within this dynamic list) works on the access-list (eg access-list 101 dynamic test timeout 6 permit ip any any).

Try:

line VTY 0 4

autocommand access-enable timeout 5 (remove the host keyword)

If that doesn't work:

-use login local, do they get disconnected?

-don't put any timeout (default is no timeout - connected indefinitely until manually cleared - for testing only), do they still get disconnected?

As a side note sounds similar to a bug for the as5300: CSCdu30577

Hope it helps.

Steve

0 Helpful

Go to solution
lavella
Level 1
Level 1
In response to steve.barlow

‎10-30-2002 12:03 AM

Hi,

Probably IOS c3640-is40-mz_120-2a.bin (IP PLUS 40) has the same bug you showed me for the AS5300.

We upgraded to ver 12.0.(24) and the problem seems solved.

Thank you very much,

Leonardo Avella

CCNP - Cisco Certified Network Professional

0 Helpful
Customers Also Viewed These Support Documents