Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
563
Views
2
Helpful
0
Comments

Scheduled Termination of Anyconnect Users on ASA/FTD via EEM script

Salman Mahajan
Cisco Employee
Cisco Employee

on ‎05-04-2023 10:39 AM

On ASA/FTD ,  following connection parameters terminate the VPN session based on timeouts:

  • Maximum Connect Time—Sets the maximum user connection time in minutes. At the end of this time, the system terminates the connection. You can also allow unlimited connection time(default).

  • VPN Idle Timeout—Terminates any user’s session when the session is inactive for the specified time. If the VPN idle timeout is not configured, then the default idle timeout is used.

  • Default Idle Timeout—Terminates any user’s session when the session is inactive for the specified time. The default value is 30 minutes (or 1800 seconds) .

To Logoff all users at a specific time we can configure EEM Script ( Example below ) 

Note :- Incase of FTD , we would need to configure it through Flexconfig 

In below examples

  • We are defining absolute timer event .  Absolute (once-a-day) timers cause an event to occur once a day at a specified time, and restart automatically. The time-of-day format is in hh:mm:ss 

  • When an event manager applet is triggered based on absolute timer event , the actions on the event manager applet is performed  i-e logoff remote users at a specific time.

EXAMPLE 1:-  Event manager applet that Terminates the Users every day at 10:45PM

event manager applet Logoff
description Logoff every night
event timer absolute time 22:45:00
action 1 cli command "vpn-sessiondb logoff anyconnect noconfirm"
output none 

EXAMPLE 2 :- Event manager applet that Terminates the Users every day at 10:45PM and sends the output of the action commands to a new file for each event manager applet that is invoked.The filename has the format of eem-applet-timestamp.log, in which applet is the name of the event manager applet andtimestampis a dated timestamp in the format of YYYYMMDD-hhmmss ( see below  ) 

event manager applet Logoff
description Logoff every night
event timer absolute time 22:45:00
action 1 cli command "vpn-sessiondb logoff anyconnect noconfirm"
output new 

OUTPUT OF ACTION TAKEN SAVED IN FLASH :- 

ciscoasa(config)# more flash:/eem-Logoff-20230503-224500.log
Reason for log file generation:
absolute timer expired
------------------ vpn-sessiondb logoff anyconnect noconfirm @ 2023/05/03 22:45:00 ------------------
INFO: Number of sessions of type "anyconnect" logged off : 1


REFERENCED LINK :- ASA EEM feature

 

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents