On ASA/FTD , following connection parameters terminate the VPN session based on timeouts:
-
Maximum Connect Time—Sets the maximum user connection time in minutes. At the end of this time, the system terminates the connection. You can also allow unlimited connection time(default).
-
VPN Idle Timeout—Terminates any user’s session when the session is inactive for the specified time. If the VPN idle timeout is not configured, then the default idle timeout is used.
-
Default Idle Timeout—Terminates any user’s session when the session is inactive for the specified time. The default value is 30 minutes (or 1800 seconds) .
To Logoff all users at a specific time we can configure EEM Script ( Example below )
Note :- Incase of FTD , we would need to configure it through Flexconfig
In below examples
- We are defining absolute timer event . Absolute (once-a-day) timers cause an event to occur once a day at a specified time, and restart automatically. The time-of-day format is in hh:mm:ss
- When an event manager applet is triggered based on absolute timer event , the actions on the event manager applet is performed i-e logoff remote users at a specific time.
EXAMPLE 1:- Event manager applet that Terminates the Users every day at 10:45PM
event manager applet Logoff
description Logoff every night
event timer absolute time 22:45:00
action 1 cli command "vpn-sessiondb logoff anyconnect noconfirm"
output none
EXAMPLE 2 :- Event manager applet that Terminates the Users every day at 10:45PM and sends the output of the action commands to a new file for each event manager applet that is invoked.The filename has the format of eem-applet-timestamp.log, in which applet is the name of the event manager applet andtimestampis a dated timestamp in the format of YYYYMMDD-hhmmss ( see below )
event manager applet Logoff
description Logoff every night
event timer absolute time 22:45:00
action 1 cli command "vpn-sessiondb logoff anyconnect noconfirm"
output new
OUTPUT OF ACTION TAKEN SAVED IN FLASH :-
ciscoasa(config)# more flash:/eem-Logoff-20230503-224500.log
Reason for log file generation:
absolute timer expired
------------------ vpn-sessiondb logoff anyconnect noconfirm @ 2023/05/03 22:45:00 ------------------
INFO: Number of sessions of type "anyconnect" logged off : 1
REFERENCED LINK :- ASA EEM feature