Thanks for the reply. I should of made that a bit clearer in the first post, but when I say idle I mean that the user has normally put their computer in hibernation mode without disconnecting the VPN first. There is no traffic passing between their computer and the ASA and the inactivity timer in ASDM will increment as well.

I was going to do as you suggest and just set a maximum session timer, but I work for a 24 hour organisation and I have in fact seen live sessions stay up for a long period of time.

Ultimately this may be the route I have to take as the usage of the AnyConnect client is about to skyrocket here and I can't afford to have licenses tied up.

Thanks

Hopefully this picture demonstrates it a bit better:

The inactivity timer is above the threshold of 30 minutes and from my understanding, this timer wouldn't increment if the laptop was still powered on and the VPN client active. As you mentioned, the constant AV updates, AD communication and various other bits would keep the link from going inactive.

Hi,

Try add ssl keepalives on the group-policy.

Enter the commands below:

group-policy SSL-Full attributes

webvpn

anyconnect ssl keepalive 300

Pls rate this post and mark it as resolved if it has addressed the issue.

________________

Best regards,

MB

I left that part out of the config snippet above, but I already have SSl keepalives enabled:

webvpn

  anyconnect ssl dtls enable

  anyconnect mtu 1406

  anyconnect ssl keepalive 20

  anyconnect ssl rekey time none

  anyconnect dpd-interval client 30

  anyconnect dpd-interval gateway 30

  anyconnect ssl compression none

  anyconnect dtls compression lzs

  anyconnect modules value nam,vpngina,posture

  anyconnect profiles value HQFull type user

  anyconnect profiles value NAM-Full type nam

  anyconnect ask none default anyconnect

  anyconnect ssl df-bit-ignore disable

  always-on-vpn disable

Hmm...

Try the following:

group-policy SSL-Full attributes

vpn-idle-timeout none

webvpn

default-idle-timeout 1800

Thanks for the idea. Tried setting the default idle timeout to 1800 as suggested but I'm still seeing clients inactive for more than 30 minutse

Any further ideas I could try ?

What version of ASA code and anyconnect are you using?  I remember reading a bug in a certain version which didn't release an IP when users reach an idle or max timeout....or something to that effect.  I remember reading it and specifically testing it but couldn't reproduce it at the time.  I now make sure to test it for all upgrades we perform.

I put it in the first post, but the ASA version is 9.1(1) or if you prefer asa911-k8.bin

Anyone else have any ideas? I left it over the weekend to see if the global timeout made a difference, but this morning there was a session idle for over 2 hours before I killed it off.

Maybe we didn't understand.

If it doesn't work in below configuration, I haven't any idea

!--- Global WebVPN configuration

webvpn

enable 'Name_of_interface'

default-idle-timeout 3600

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

!--- Your group-policy SSL-Full

group-policy SSL-Full internal

group-policy SSL-Full attributes

  vpn-idle-timeout none