06-17-2013 11:54 PM - edited 02-21-2020 06:57 PM
Hello Everyone,
I'm having an issue with my AnyConnect SSL VPN sessions where the idle timeout is not working. I've set the idle timeout to be 30 minutes, yet I can see clients that have been idle for over 2 days without being disconnected. Below is the group policy which is being applied to my clients:
group-policy SSL-Full attributes
wins-server value <IP>
dns-server value <IP>
dhcp-network-scope <IP>
vpn-simultaneous-logins 2
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
group-lock none
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value <domain>
split-dns value <domain>
split-tunnel-all-dns enable
msie-proxy method no-proxy
smartcard-removal-disconnect enable
They are using client version 3.1.02026 with the ASA being a 5520 on version 9.1(1). Any help that can be provided would be most useful.
Thanks
06-18-2013 01:12 AM
James,
I guess the question is - what do you consider idle.
Idle user does not mean that network stack is not busy, keepalives/updates for various apps (AV trying to update signatures?) and broadcasts will still flow over the network interface.
You can consider setting:
http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/v.html#wp1664651
to one-or-two days.
M.
06-18-2013 01:18 AM
Thanks for the reply. I should of made that a bit clearer in the first post, but when I say idle I mean that the user has normally put their computer in hibernation mode without disconnecting the VPN first. There is no traffic passing between their computer and the ASA and the inactivity timer in ASDM will increment as well.
I was going to do as you suggest and just set a maximum session timer, but I work for a 24 hour organisation and I have in fact seen live sessions stay up for a long period of time.
Ultimately this may be the route I have to take as the usage of the AnyConnect client is about to skyrocket here and I can't afford to have licenses tied up.
Thanks
06-18-2013 01:41 AM
Hopefully this picture demonstrates it a bit better:
The inactivity timer is above the threshold of 30 minutes and from my understanding, this timer wouldn't increment if the laptop was still powered on and the VPN client active. As you mentioned, the constant AV updates, AD communication and various other bits would keep the link from going inactive.
06-18-2013 02:17 AM
Hi,
Try add ssl keepalives on the group-policy.
Enter the commands below:
group-policy SSL-Full attributes
webvpn
anyconnect ssl keepalive 300
Pls rate this post and mark it as resolved if it has addressed the issue.
________________
Best regards,
MB
06-18-2013 03:16 AM
I left that part out of the config snippet above, but I already have SSl keepalives enabled:
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression lzs
anyconnect modules value nam,vpngina,posture
anyconnect profiles value HQFull type user
anyconnect profiles value NAM-Full type nam
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
always-on-vpn disable
06-18-2013 04:27 AM
Hmm...
Try the following:
group-policy SSL-Full attributes
vpn-idle-timeout none
webvpn
default-idle-timeout 1800
06-18-2013 07:19 AM
Thanks for the idea. Tried setting the default idle timeout to 1800 as suggested but I'm still seeing clients inactive for more than 30 minutse
Any further ideas I could try ?
06-18-2013 07:38 AM
What version of ASA code and anyconnect are you using? I remember reading a bug in a certain version which didn't release an IP when users reach an idle or max timeout....or something to that effect. I remember reading it and specifically testing it but couldn't reproduce it at the time. I now make sure to test it for all upgrades we perform.
06-24-2013 03:05 AM
I put it in the first post, but the ASA version is 9.1(1) or if you prefer asa911-k8.bin
Anyone else have any ideas? I left it over the weekend to see if the global timeout made a difference, but this morning there was a session idle for over 2 hours before I killed it off.
06-24-2013 05:39 AM
Maybe we didn't understand.
If it doesn't work in below configuration, I haven't any idea
!--- Global WebVPN configuration
webvpn
enable 'Name_of_interface'
default-idle-timeout 3600
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
!--- Your group-policy SSL-Full
group-policy SSL-Full internal
group-policy SSL-Full attributes
vpn-idle-timeout none
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide