cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
197500
Views
65
Helpful
17
Replies

AnyConnect Session Timeout Question

Patrick McHenry
Level 3
Level 3

We have some remote users that are not happy with the SSL Any Connect connection going down after they close their laptops or lose their wireless connection for a time. I read this question and answer from a Cisco page and was wondering where the session timeout setting is changed. Is it on the client nic, AnyConnect software or the ASA firewall?

Thanks, Pat.        

Q. What is the AnyConnect reconnect behavior?

A. AnyConnect will attempt to reconnect if the connection is disrupted. This behavior is automatic and not configurable. As long as the session on the ASA is still valid, the session will be resumed if AnyConnect can re-establish the physical connection.

Version 2.2 includes a roaming feature that allows AnyConnect to reconnect after a PC sleep. The client will continue trying indefinitely until the head-end tells it that it cannot reconnect and the client will not immediately tear down the tunnel when the system goes in to hibernate/standby. For customers who do not want this feature, set the session timeout to a low value to prevent sleep or resume reconnects.

1 Accepted Solution

Accepted Solutions

And also, for the new changes in the AnyConnect profile to take effect, you would need to reconnect your AnyConnect session so the new policy is pushed to the client.

View solution in original post

17 Replies 17

Jennifer Halim
Cisco Employee
Cisco Employee

The session timeout is to be configured on the ASA firewall. That setting is being pushed when the AnyConnect client connects as part of the policy received from the ASA firewall.

Here is the configuration:

vpn-session-timeout

to be configured under the respective group-policy.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1631430

Jennifer, thank you for the response.

What if a remote user lost their connection to the Internet and when they reconnected they got a new address, if we increased the  vpn-session-timeout to, say 180 minutes, would they still be able to re-connect automatically during the 180 minute time frame?

What if, during the 180 minute time frame, they connected to a different wifi network?

Thanks, Pat.

The answer to both your questions is YES, they will be able to re-connect automatically as long as the session within the ASA is still valid.

Here is the document to confirm the behaviour:

https://supportforums.cisco.com/docs/DOC-1361#Q_VPN_session_failover_SSL_is_possible_with_dual_Internet_Service_Providers_ISPs_without_breaking_the_session_For_example_if_a_customer_is_communicating_through_SSL_VPN_through_ISP_1_if_ISP_1_goes_down_wi...

In the above document, dual ISP basically means different IP Addresses which is what you were asking, ie:

1/ received new ip address

2/ different wife - means different ip address

Jennifer,

correct me if I am wrong but, although the vpn-session-timeout needs to be set to a reasonable amout of time to provide a practicle session length, shouldn't I be more concerned with vpn-idle-timeout setting? This setting seems to address the limitation that remote users have been having when closing their laptops, losing wireless connectivity, or going to a different wireless network.

Thanks, Pat

Step 7

Configure the user timeout period by entering the

vpn-idle-timeout

command in group-policy configuration mode or in username configuration mode:

hostname(config-group-policy)# vpn-idle-timeout {minutes | none}


The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes. If there is no communication activity on the connection in this period, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. The none keyword also permits an unlimited idle timeout period. It sets the idle timeout to a null value, thereby disallowing an idle timeout.

The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-idle-timeout 15


Step 8 Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command in group-policy configuration mode or in username configuration mode.

hostname(config-group-policy)# vpn-session-timeout {minutes | none}


The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value. At the end of this period of time, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. Specifying the none keyword permits an unlimited session timeout period and sets session timeout with a null value, which disallows a session timeout.

The following example shows how to set a VPN session timeout of 180 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-session-timeout 180


The VPN Idle timeout, by default is 30 minutes, and if users are just roaming to other wireless hotspot, and/or receiving a new IP Address, then typically it would just take a couple of minutes maximum, so the default idle timeout will be more than enough time and will not terminate the session.

Thanks Jennifer,

What I want to stop is the need for the user to have to go through the connection and reauthentication process. At present, when I am testing the SSL VPN from my laptop and I close the lid or disable my nic and re-enable, I must reauthentic. This is the process I would like to automate. I would like users to be able to close the laptop or lose connection temporarily and still retain their session.

I'm a little confused of what setting will fix this.

The vpn-session-timeout seems to be an absolute: meaning, when the configured time has elapsed, the connection will end and the user will have to re-connect. Is this correct?

The vpn-idle-timeout seems to be associated with the user losing network connection but retaining their session and be able to re-connect automatically or seamlessly. Is this correct?

If the above statements are correct, and the default vpn-idle-timeout is set to default (30 minutes), I shouldn't be losing connection when I close my laptop for a couople of minutes. Is this correct?

Thanks, Pat.

What version of ASA are you currently running and also what version of AnyConnect are you using?

ASA version is: 8.3.1

AnyConnect version is: 3.0.5080-k9 and same version for MAC and Linux

Thanks, Pat

Also, we changed the ASA setting Maximum connect and idle timeout to unlimited and ssl vpn client always on VPN, but when I close my laptop I get the message:

"The VPN connection has been disconnect due to system suspending. The reconnect capability is disabled. A new connection is necessary, which requires re-authentication. Is this a client side setting that this message is referring to and where do I change it?

There are 2 auto reconnect types without authentication:

1) Changes of physical interface whether changing ISP ip address, or roaming from wifi to wired or vice versa, or roaming to other wifi network - AnyConnect session by default will resume without any authentication.

2) From system suspect - by default AnyConnect will re-authenticate, unless you have the following configured under your AnyConnect profile:

Auto Reconnect --> Reconnect After Resume: if both settings are enabled.

Here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1113790

And also, for the new changes in the AnyConnect profile to take effect, you would need to reconnect your AnyConnect session so the new policy is pushed to the client.

I think when I was testing the ASA changes weren't pushed to the cient yet or I hadn't restarted the AnyConnect on the laptop. Regardless, it seems to be working now. I was connected via the DSL, unplugged my connection for a minute, reconnected the DSL and automatically connected.

Thanks

Thanks for the update. Great to hear it's working now.

Jennifer,

Referring to your post with the 2 options:

With option 2, did you me that  "by default AnyConnect will re-authenticate, unless you don't have the following configured under your AnyConnect profile:"

Unless the setting is counter-intuitive, I would think it would be the opposite of what you said.

Thanks, Pat