Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21921
Views
5
Helpful
5
Replies

AnyConnect timeout parameters

fsebera
Level 4
Level 4

‎02-18-2016 05:23 PM - edited ‎02-21-2020 08:41 PM


Each remote AnyConnect user connects to the same HQ ASA at different times of the day; with the vpn-idle-timeout 1200 and vpn-session-timeout 1200 (20 hours), do all sessions terminate at the same time each day or does each session terminate 20 hours after each session was initiated?

group-policy phonevpn attributes
 wins-server none
 dns-server value 10.x.y.z 10.a.b.c
 vpn-simultaneous-logins 20
 vpn-idle-timeout 1200
 vpn-session-timeout 1200
 vpn-tunnel-protocol ssl-client ssl-clientless
 address-pools value phone_pool

Thank you

Frank

1 person had this problem
Labels:
0 Helpful
5 Replies 5

jj27
Spotlight
Spotlight

‎02-18-2016 06:34 PM

It is per-session, so 20 hours after the user connects.

fsebera
Level 4
Level 4
In response to jj27

‎02-25-2016 05:59 AM

Original config

--snip--

vpn-idle-timeout 1200
vpn-session-timeout 1200

--snip--

NEW config

--snip--

vpn-idle-timeout none
vpn-session-timeout none

--snip--

We have tested this change for multiple days and all seems well.

THANK YOU

Frank

0 Helpful

Rohan Padwal
Level 1
Level 1

‎02-25-2016 12:22 PM

this is timer based and calculated after the user connects and its different for different users 

 vpn-idle-timeout 1200 <<<<if their is no traffic over the RA tunnel for 20 hrs his session is disconnected.

 vpn-session-timeout 1200<<<<<ASA will disconnect the user session  forcefully after 20 hrs

default vpn-idle-timeout is 30 mins and vpn-session-timeout is none

 

0 Helpful

fsebera
Level 4
Level 4
In response to Rohan Padwal

‎02-25-2016 12:39 PM

Hi Rohan,

The problem we were having and attempting to solve was after the AnyConnect VPN user was disconnected (after 20 hours), it took multiple hours to reconnect. The AnyConnect VPN users are Cisco VoIP 7945G phones and they are connected across the public Internet.

Thank you

Frank

0 Helpful

Rohan Padwal
Level 1
Level 1
In response to fsebera

‎02-25-2016 12:52 PM

okies if you have below config 

vpn-idle-timeout none
vpn-session-timeout none

then your phone should stay up untill they are disconnected from the client end,

the issue might be after the disconnect the phones didn't reattempt the authentication 

what was the re authentication delay and which mode of auth was used CERT or Username password ?

AnyConnect VPN Phone - IP Phones, ASA, and CUCM Troubleshooting

#Rohan

0 Helpful
Customers Also Viewed These Support Documents