Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22077
Views
40
Helpful
5
Replies

AnyConnect timeout

Go to solution
macgyver0099_1
Level 1
Level 1

‎02-25-2019 09:11 AM

Hello,

 

We are having some trouble with our user vpn timeouts on our ASA5545, to which we are running Cisco Adaptive Security Appliance Software Version 9.8(3)16.  Specifically, our vpn  sessions are timing out after six hours as designed, but not as designed, they are timing out whether or not the session is idle.  Our intentions are that we want the sessions to timeout after six hours of inactivity - not just after six hours of vpn establishment.  Our configs are below.  Please note, that we can only touch the AnyConnect policy.  We cannot alter the Default policy as that also affects our site-to-site vpn tunnels.VPN and AnyConnect, AnyConnect

group-policy Any.Connect.Policy internal
group-policy Any.Connect.Policy attributes
dns-server value 10.2.5.152 4.2.2.2
vpn-idle-timeout 360
vpn-session-timeout 360
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ClientVPN
default-domain value ChorusCallInc.local
split-dns value choruscallinc.local
address-pools value vpn_pool

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-25-2019 09:27 AM

Set "vpn-session-timeout" to none or a really high value. Your current setting specifies the ASA to terminate at 6 hours period.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html

 

View solution in original post

5 Replies 5

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-25-2019 09:27 AM

Set "vpn-session-timeout" to none or a really high value. Your current setting specifies the ASA to terminate at 6 hours period.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html

 

Go to solution
macgyver0099_1
Level 1
Level 1
In response to Rahul Govindan

‎02-26-2019 06:28 AM

Thank you for your response.  This worked partially.  The session no longer times out while using it, however it doesn't seem to time out at all even though the idle timeout is still configured for six hours.

group-policy Any.Connect.Policy internal
group-policy Any.Connect.Policy attributes
 dns-server value 10.2.5.152 4.2.2.2
 vpn-idle-timeout 360
 vpn-session-timeout none
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ClientVPN
 default-domain value ChorusCallInc.local
 split-dns value choruscallinc.local
 address-pools value vpn_pool

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to macgyver0099_1

‎02-26-2019 06:41 AM

This could depend on if the session is really inactive. These days, there is always some sort of traffic originating from the client machine. A good check to do is to monitor the "show vpn-sessiondb anyconnect" as below:

Username     : rahul.govindan         Index        : 13815
Assigned IP  : y.y.y.y         Public IP    : x.x.x.x
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 24389727               Bytes Rx     : 4710923
Group Policy : Group-Policy Tunnel Group : SSL
Login Time   : 08:17:46 EST Tue Feb 26 2019
Duration     : 1h:18m:32s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : xxxxxxx
Security Grp : none

You should see the inactivity timer go up to 360 minutes before it times out. Usually there is some traffic that causes the reset of this timer back to 0.

 

 

Go to solution
macgyver0099_1
Level 1
Level 1
In response to Rahul Govindan

‎02-27-2019 01:44 PM

Thanks, a lot everyone!  It would appear adjusting the session timeout cured our VPN disconnect problem.  And as for the problem of the sessions not idling out, it would appear the PCs need to be set to go to sleep after a specific period of inactivity to register idle time on the firewall.  Our default was to just require a password after 45 minutes.  But without going to sleep, the PC still apparently sends traffic that the firewall sees as activity.  Putting the PC to sleep rectifies this.

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to macgyver0099_1

‎02-27-2020 10:12 AM

Im experiencing the same issue. I configured to vpn-idle-timeout 300. 300 is 5 hours. However, if I wake up after a few seconds after connecting to the VPN, it will be disconnected immediately.
0 Helpful
Customers Also Viewed These Support Documents