Solved: Anyconnect Client Timeout

jwilder · ‎12-30-2009

Sorry if this has already been addressed in another thread. I looked and didn't find anything so I am posting here.

We are currently using the anyconnect client on our ASA5520's. The only issue I am having right now is the timeout doesn't

seem to be working correctly. I have the current group policy Idle Timeout set to 30 minutes and the clients never get disconnected

unless you manually disconnect them.

At first I thought that keepalives or DPD was some how affecting this. But after testing they don't appear to be. It appears

that the idle timeout just doesn't work. Anyone have any ideas of what I am missing? Or does the idle timeout function just not work?

Thanks!

Jeff

Todd Pula · ‎01-05-2010

I look at the idle timeout as a legacy feature due to the fact that modern operating systems are inherently chatty. If you run a sniffer on the AnyConnect VA and then leave the PC for a few minutes, you will capture all sorts of packets to and from the client, even though you are not actively working on the PC. If your intent is to manage user sessions, you could set a max session time. Once the max session time limit is reached, the user will be disconnected from the system. The users will then need to reconnect if they require continued network access. Dead Peer Detection is mechanism used by the headend or the client in order to quickly detect a condition where the peer is not responding and the connection has failed. For example, in a perfect world all AnyConnect users will right click on the tray icon and click disconnect in order to gracefully disconnect the session. In reality, users may lose their connection to the Internet, power down their PC while connected, etc. Without DPD, the headend device will maintain the now stale session information in the event that the SSL client tries to reconnect. This will require manual intervention by an administrator in order to manually log off the sessions. With DPD, the headed can recognize the loss of conectivity to the client and terminate the session information. DPD is a hello and ACK process between client and server. If a series of hello messages are not ACK'd, the related session information is cleared from the client or server. This is maintained by SSL and is unrelated to the network traffic related idle timeout.

Below are a few links for your reference. Please let me know if I can be of any further assistance.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1072975

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1134794

View solution in original post

Todd Pula · ‎12-31-2009

The idle timeout implies that no packets are traversing the AnyConnect virtual adapter. The common misconception relates to user innactivity vs. PC/OS innactivity. A packet capture would more than likely show traffic traversing the tunnel during times of user innactivity. The only way to truly make a Windows PC idle is to disable the Micorosoft Network and File and Print sharing from the network config of the PC's physical adapter. Dead Peer Detection (DPD), on the other hand, can be enabled in order to overcome network events and timeout stale sessions.

jwilder · ‎01-05-2010

So this implies then that the idle timeout feature either doesn't work as it is advertised or just doesn't work.

If DPD is designed to do these functions then i am struggling to understand what/why we need the idle timeout option?

Is there some documentation out there that describes each of these features in detail and how they interact/react with each other? I have looked all over the Cisco site and can't seem to find any.

I guess i don't understand how does DPD differentiate network traffic from end user traffic? Isn't this the same problem that the idle timer has?

Thanks,
Jeff

Todd Pula · ‎01-05-2010

I look at the idle timeout as a legacy feature due to the fact that modern operating systems are inherently chatty. If you run a sniffer on the AnyConnect VA and then leave the PC for a few minutes, you will capture all sorts of packets to and from the client, even though you are not actively working on the PC. If your intent is to manage user sessions, you could set a max session time. Once the max session time limit is reached, the user will be disconnected from the system. The users will then need to reconnect if they require continued network access. Dead Peer Detection is mechanism used by the headend or the client in order to quickly detect a condition where the peer is not responding and the connection has failed. For example, in a perfect world all AnyConnect users will right click on the tray icon and click disconnect in order to gracefully disconnect the session. In reality, users may lose their connection to the Internet, power down their PC while connected, etc. Without DPD, the headend device will maintain the now stale session information in the event that the SSL client tries to reconnect. This will require manual intervention by an administrator in order to manually log off the sessions. With DPD, the headed can recognize the loss of conectivity to the client and terminate the session information. DPD is a hello and ACK process between client and server. If a series of hello messages are not ACK'd, the related session information is cleared from the client or server. This is maintained by SSL and is unrelated to the network traffic related idle timeout.

Below are a few links for your reference. Please let me know if I can be of any further assistance.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1072975

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1134794