09-09-2010 06:03 AM
Hi all,
I am connecting with Anyconnect client to a ASA5510(8.2.1(11))
In the group policy I have idle timeout = unlimited, but if I control the session in asdm and in command line
I find idle timeout=30 minutes.
If I insert idle timeout = 60 in the policy, in the session I see Idle timeout =60 min.
Is there only a problem in the visualization of the session?
Solved! Go to Solution.
09-09-2010 06:59 AM
Setting the "vpn-idle-timeout none" command from the group-policy is a misunderstood command. When it is set in the group-policy it does not disable the idle-timeout. In the past I filed a bug to clarify what this setting does (see CSCsm15079) to clarify the misunderstanding. In newer versions of code with the bug fix, the command sensitive help now properly explains it:
ASA(config-group-policy)# vpn-idle-timeout ?
group-policy mode commands/options:
<1-35791394> Number of minutes
none IPsec VPN: Disable timeout and allow an unlimited idle period;
SSL VPN: Use value of default-idle-timeout
When it is set to none, and you are using SSL VPN, it means it will inherit the default-idle-timeout that is set under the Webvpn config. The default for this command is 30 minutes, so thats probably why ASDM is displaying 30 minutes. If you would like to adjust this value, it can be changed with:
conf t
webvpn
default-idle-timeout
If you would like an "unlimited" idle time, you should set the vpn-idle-timeout in the group-policy to a specific number instead of "none" -- the maximum you can set with the vpn-idle-timeout command is 35791394 minutes (something like ~24000 days or essentially unlimited).
Please rate this post and mark it as resolved if it has addressed the issue.
09-09-2010 06:59 AM
Setting the "vpn-idle-timeout none" command from the group-policy is a misunderstood command. When it is set in the group-policy it does not disable the idle-timeout. In the past I filed a bug to clarify what this setting does (see CSCsm15079) to clarify the misunderstanding. In newer versions of code with the bug fix, the command sensitive help now properly explains it:
ASA(config-group-policy)# vpn-idle-timeout ?
group-policy mode commands/options:
<1-35791394> Number of minutes
none IPsec VPN: Disable timeout and allow an unlimited idle period;
SSL VPN: Use value of default-idle-timeout
When it is set to none, and you are using SSL VPN, it means it will inherit the default-idle-timeout that is set under the Webvpn config. The default for this command is 30 minutes, so thats probably why ASDM is displaying 30 minutes. If you would like to adjust this value, it can be changed with:
conf t
webvpn
default-idle-timeout
If you would like an "unlimited" idle time, you should set the vpn-idle-timeout in the group-policy to a specific number instead of "none" -- the maximum you can set with the vpn-idle-timeout command is 35791394 minutes (something like ~24000 days or essentially unlimited).
Please rate this post and mark it as resolved if it has addressed the issue.
09-10-2010 06:09 AM
Thank you for your explanation.
The bug is not really solved, even if in the schedule of the bug toolkit I find it is fixed in version 8.2(1), I am using 8.2(1)11.
It is solved for ipsec, not for ssl vpn.
09-10-2010 06:23 AM
The bug is for clarification only; The fix for the bug does not change the behavior/functionality of the vpn-idle-timeout for IPSec nor for
SSL.
The bugs intention was to document what the expected behavior should be in the command line as prior to the bug fix the explanation was not correct. Heres what the bug fix did:
In the versions of code without the bug fix the command sensitive help incorrectly stated:
ASA(config-group-policy)# vpn-idle-timeout ?
group-policy mode commands/options:
<1-35791394> Number of minutes
none Disable timeout and allow an unlimited idle period
In the versions of the code with the bug fix the command sensitive help correctly states the expected behavior (If you are not seeing this in your 8.2.1.11 code let me know):
ASA(config-group-policy)# vpn-idle-timeout ?
group-policy mode commands/options:
<1-35791394> Number of minutes
none IPsec VPN: Disable timeout and allow an unlimited idle period;
SSL VPN: Use value of default-idle-timeout
Can not view this .txt file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=DDTS_History&ext=txt&type=FILE
Can not view this .txt file attachment inline, please click on the following link to view the attachment.
http:///cdts/siebel/siebsrvr/input/CSCsj28231/79/CSCsm15079_DDTS_History.txt
Can not view this .txt file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=debugs&ext=txt&type=FILE
Can not view this .txt file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=fixed-in-fullt-emake-by-cl76348&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=fixed-in-fullt-main-by-cl76328&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=fixed-in-napa-main-by-cl76316&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=fixed-in-steamboat-main-by-cl76347&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=fixed-in-titan-l4tm-by-cl76720&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=fixed-in-titan-main-by-cl76333&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://cdetsweb-prd.cisco.com/apps/dumpcr_att?identifier=CSCsm15079&title=static-analysis-napa-main&ext=&type=FILE
Can not view this . file attachment inline, please click on the following link to view the attachment.
http://
What | How Bad | Who | Versions | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
History |
---|
Histogram of CSCsm15079: Covering 378 days and terminal, first More in 265 days, currently in V-Verified state. N -> A [ 0] | <-----------------------------------+-----------------------------------> |
cdetsadm | 08/11/2010 10:11:19 | Integrated-releases: | --> 008.002(001) |
wbrown | 12/11/2009 12:36:40 | RNE-Approval-Flg: | N --> |
wbrown | 12/11/2009 12:36:40 | Note Title: | --> CFD-comments |
cdetsbsi | 11/27/2009 07:02:24 | Trouble-Tickets: | --> |
builders | 11/17/2009 16:54:24 | Integrated-releases: | --> 008.000(005) |
cdetsbsi | 11/09/2009 07:49:18 | Trouble-Tickets: | --> 612754729 |
cdetsbsi | 08/05/2009 12:06:35 | Trouble-Tickets: | --> 611986829 |
cdetsbsi | 08/05/2009 12:06:35 | Urgency-desc: | CL3 --> P3 |
wbrown | 01/22/2009 09:46:33 | RNE-Approval-Flg: | N --> |
wbrown | 01/22/2009 09:46:33 | Note Title: | --> V-comments |
wbrown | 01/22/2009 09:46:30 | Verified-on: | --> 01/22/2009 12:46:30 |
wbrown | 01/22/2009 09:46:30 | Verifier: | --> wbrown |
wbrown | 01/22/2009 09:45:11 | Verified-confidence: | --> tested |
wbrown | 01/22/2009 09:45:04 | Status: | R --> V |
wbrown | 01/22/2009 09:46:32 | Verified-release: | --> 8.2(0.202) |
cdetsadm | 11/12/2008 19:04:51 | Integrated-releases: | --> 008.000(004.010) |
cdetsadm | 11/12/2008 18:58:59 | Integrated-releases: | --> 008.001(002.004) |
perforce | 11/11/2008 20:36:16 | File Name: | --> fixed-in-titan-l4tm-by-cl76720 |
cdetsadm | 11/05/2008 23:51:12 | Integrated-releases: | --> 008.002(000.172) |
tshort | 11/05/2008 06:28:16 | RNE-Approval-Flg: | N --> |
tshort | 11/05/2008 06:28:16 | Note Title: | --> R-comments |
tshort | 11/05/2008 06:28:15 | Resolved-on: | --> 11/05/2008 09:28:15 |
tshort | 11/05/2008 06:18:58 | Status: | A --> R |
tshort | 11/05/2008 06:18:03 | DTPT-manager: | ubaruah --> gregw |
tshort | 11/05/2008 06:18:03 | Component: | change-me --> other |
perforce | 11/04/2008 21:15:36 | File Name: | --> fixed-in-fullt-emake-by-cl76348 |
perforce | 11/04/2008 20:27:09 | File Name: | --> fixed-in-steamboat-main-by-cl76347 |
perforce | 11/04/2008 17:00:33 | File Name: | --> fixed-in-titan-main-by-cl76333 |
perforce | 11/04/2008 15:30:41 | File Name: | --> fixed-in-fullt-main-by-cl76328 |
perforce | 11/04/2008 13:57:08 | File Name: | --> static-analysis-napa-main |
perforce | 11/04/2008 13:57:04 | File Name: | --> fixed-in-napa-main-by-cl76316 |
perforce | 11/04/2008 13:16:02 | RNE-Approval-Flg: | N --> |
perforce | 11/04/2008 13:16:02 | Note Title: | --> unit-test-auto |
perforce | 11/04/2008 13:15:59 | RNE-Approval-Flg: | N --> |
perforce | 11/04/2008 13:15:59 | Note Title: | --> code-review-auto |
tshort | 11/04/2008 11:04:32 | Assigner: | dlambert --> tshort |
tshort | 11/04/2008 11:04:32 | Assigned Date: | 01/10/2008 17:23:41 --> 11/04/2008 14:04:32 |
tshort | 11/04/2008 11:04:30 | Status: | M --> A |
vkaza | 11/03/2008 09:25:42 | DE-manager: | ballowe --> dlambert |
vkaza | 11/03/2008 09:25:37 | Component: | parser --> change-me |
vkaza | 11/03/2008 09:25:37 | DE-manager: | vkaza --> ballowe |
mkrupp | 10/24/2008 12:08:46 | DTPT-manager: | rajmishr --> ubaruah |
mkrupp | 10/24/2008 12:08:46 | Component: | doc --> parser |
mkrupp | 10/24/2008 12:08:46 | DE-manager: | jlemair --> vkaza |
mkrupp | 10/01/2008 12:08:34 | RNE-Approval-Flg: | N --> |
mkrupp | 10/01/2008 12:08:34 | Note Title: | --> M-comments |
mkrupp | 10/01/2008 12:06:22 | Behavior-changed: | --> N |
mkrupp | 10/01/2008 12:06:22 | Dev-escape-activity: | --> Code Review |
mkrupp | 10/01/2008 12:06:07 | Category: | --> user documentation |
mkrupp | 10/01/2008 12:06:07 | Documents-changed: | --> ASA Command Reference, Releases 8.0 and 8.1 |
mkrupp | 10/01/2008 12:06:07 | Reason: | --> not clear |
mkrupp | 10/01/2008 12:05:18 | Origin: | --> requirements |
mkrupp | 10/01/2008 12:04:27 | Status: | A --> M |
mkrupp | 10/01/2008 12:08:33 | Apply-to: | --> 008.000 |
mkrupp | 10/01/2008 12:03:58 | Engineer: | mkrupp --> tshort |
cdetsbsi | 09/30/2008 07:36:10 | Trouble-Tickets: | --> |
cdetsbsi | 09/30/2008 07:36:10 | Urgency-desc: | P3 --> CL3 |
cdetsbsi | 09/27/2008 08:24:30 | Trouble-Tickets: | --> 609676527 |
cdetsbsi | 09/27/2008 08:24:30 | Urgency-desc: | NA --> P3 |
sboulay | 02/21/2008 09:41:35 | Engineer: | sboulay --> mkrupp |
cdetsbsi | 01/22/2008 05:43:36 | Trouble-Tickets: | 607560453 --> |
cdetsbsi | 01/22/2008 05:43:36 | Urgency-desc: | P3 --> NA |
dwhitejr | 01/11/2008 06:56:57 | Note: | Release-note --> Release-note |
dlambert | 01/10/2008 14:23:55 | To-be-fixed: | 007.002 --> |
dlambert | 01/10/2008 14:23:55 | To-be-fixed: | --> 008.000 |
dlambert | 01/10/2008 14:23:41 | Assigner: | --> dlambert |
dlambert | 01/10/2008 14:23:41 | Assigned Date: | --> 01/10/2008 14:23:41 |
dlambert | 01/10/2008 14:23:24 | Engineer: | --> sboulay |
dlambert | 01/10/2008 14:23:19 | Status: | N --> A |
dlambert | 01/10/2008 14:23:41 | To-be-fixed: | --> 007.002 |
dlambert | 01/10/2008 13:38:17 | DTPT-manager: | miscanlo --> rajmishr |
dlambert | 01/10/2008 13:38:17 | Component: | webvpn-other --> doc |
dlambert | 01/10/2008 13:38:17 | DE-manager: | vvolpe --> jlemair |
dlambert | 01/10/2008 13:37:53 | DTPT-manager: | rajmishr --> miscanlo |
dlambert | 01/10/2008 13:37:53 | Component: | doc --> webvpn-other |
dlambert | 01/10/2008 13:37:20 | DTPT-manager: | miscanlo --> rajmishr |
dlambert | 01/10/2008 13:37:20 | Component: | webvpn-other --> doc |
dlambert | 01/10/2008 13:36:58 | Note: | Eng-notes --> Eng-notes |
dlambert | 01/10/2008 13:23:25 | Note: | Eng-notes --> Eng-notes |
dlambert | 01/10/2008 13:20:30 | Other-mail: | --> tshort |
dlambert | 01/10/2008 13:20:19 | Summary: | --> |
cdetsbsi | 01/10/2008 10:41:10 | Trouble-Tickets: | --> 607560453 |
cdetsbsi | 01/10/2008 10:41:10 | Urgency-desc: | NA --> P3 |
senicke | 01/10/2008 10:16:29 | Note: | Release-note --> Release-note |
senicke | 01/10/2008 10:14:32 | Attribute: | tac-repro --> |
senicke | 01/10/2008 10:14:09 | Note Title: | tac-repro --> |
senicke | 01/10/2008 10:12:17 | Summary: | --> |
senicke | 01/10/2008 10:12:17 | Headline: | ASA: 'vpn-idle-timeout none' uses default time instead of unlimited --> ASA: 'vpn-idle-timeout none' behavior needs clarification |
tshort | 01/10/2008 08:56:10 | RNE-Approval-Flg: | N --> |
tshort | 01/10/2008 08:56:10 | Note Title: | --> Eng-notes |
senicke | 01/10/2008 08:46:20 | Summary: | --> |
senicke | 01/10/2008 08:40:18 | RNE-Approval-Flg: | N --> |
senicke | 01/10/2008 08:40:18 | Note Title: | --> tac-repro |
senicke | 01/10/2008 08:39:35 | Summary: | --> |
senicke | 01/10/2008 08:36:21 | Summary: | --> |
senicke | 01/10/2008 08:27:06 | Attribute: | --> tac-repro |
senicke | 01/10/2008 08:26:52 | File Name: | --> debugs |
senicke | 01/10/2008 08:26:32 | RNE-Approval-Flg: | N --> |
senicke | 01/10/2008 08:26:32 | Note Title: | --> SS-Review |
senicke | 01/10/2008 08:25:35 | Note Title: | --> Release-note |
senicke | 01/10/2008 08:23:42 | Defect Created: | --> |
-heather
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: