02-25-2019 09:11 AM
Hello,
We are having some trouble with our user vpn timeouts on our ASA5545, to which we are running Cisco Adaptive Security Appliance Software Version 9.8(3)16. Specifically, our vpn sessions are timing out after six hours as designed, but not as designed, they are timing out whether or not the session is idle. Our intentions are that we want the sessions to timeout after six hours of inactivity - not just after six hours of vpn establishment. Our configs are below. Please note, that we can only touch the AnyConnect policy. We cannot alter the Default policy as that also affects our site-to-site vpn tunnels.VPN and AnyConnect, AnyConnect
group-policy Any.Connect.Policy internal
group-policy Any.Connect.Policy attributes
dns-server value 10.2.5.152 4.2.2.2
vpn-idle-timeout 360
vpn-session-timeout 360
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN
default-domain value ChorusCallInc.local
split-dns value choruscallinc.local
address-pools value vpn_pool
Solved! Go to Solution.
02-25-2019 09:27 AM
Set "vpn-session-timeout" to none or a really high value. Your current setting specifies the ASA to terminate at 6 hours period.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html
02-25-2019 09:27 AM
Set "vpn-session-timeout" to none or a really high value. Your current setting specifies the ASA to terminate at 6 hours period.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html
02-26-2019 06:28 AM
Thank you for your response. This worked partially. The session no longer times out while using it, however it doesn't seem to time out at all even though the idle timeout is still configured for six hours.
group-policy Any.Connect.Policy internal
group-policy Any.Connect.Policy attributes
dns-server value 10.2.5.152 4.2.2.2
vpn-idle-timeout 360
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN
default-domain value ChorusCallInc.local
split-dns value choruscallinc.local
address-pools value vpn_pool
02-26-2019 06:41 AM
This could depend on if the session is really inactive. These days, there is always some sort of traffic originating from the client machine. A good check to do is to monitor the "show vpn-sessiondb anyconnect" as below:
Username : rahul.govindan Index : 13815 Assigned IP : y.y.y.y Public IP : x.x.x.x Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : 24389727 Bytes Rx : 4710923 Group Policy : Group-Policy Tunnel Group : SSL Login Time : 08:17:46 EST Tue Feb 26 2019 Duration : 1h:18m:32s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : xxxxxxx Security Grp : none
You should see the inactivity timer go up to 360 minutes before it times out. Usually there is some traffic that causes the reset of this timer back to 0.
02-27-2019 01:44 PM
Thanks, a lot everyone! It would appear adjusting the session timeout cured our VPN disconnect problem. And as for the problem of the sessions not idling out, it would appear the PCs need to be set to go to sleep after a specific period of inactivity to register idle time on the firewall. Our default was to just require a password after 45 minutes. But without going to sleep, the PC still apparently sends traffic that the firewall sees as activity. Putting the PC to sleep rectifies this.
02-27-2020 10:12 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide