Thanks for the reply, however our PIX is already configured (and it appears to be the default) with timeout uath 00:05:00 absolute, but our users are not kicked off after 5 minutes like this command is supposed to do.

Jeff

Please run the show timeout command and post the results here. The uauth timer has to be shorter than the xlate timers, and when absolute is in effect it won't take effect until the user starts a new session - unlikely to happen with PPTP users. This is taken from the pix 6.3 command ref. for timeout.

What may be better is to turn off pptp-echo and to configure the uauth inactivity timer to 4 or 8 hours, or whatever idle time is appropriate for your environment.

I don't know when pptp echo is configured, how often it runs, but it will reset the idle timer when the client responds. You don't want the echos to keep the session alive - wait until the user sends some interesting traffic. Note that some telnet sessions can be configured to send keepalives so telnet over pptp can defeat the uauth inactivity timer.

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

I tried to remove the pptp echo command from our VPDN group, but you cannot.

Thanks

Jeff

Any other ideas? Maybe someone from Cisco can chime in?

Thanks so much

Jeff

Anything? Please?

anyone?

Thanks!