Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
8799
Views
4
Helpful
14
Replies

ASA5510 - Maximum connect time

Go to solution
James Walsh
Level 1
Level 1

‎01-06-2011 01:30 PM

Quick question.  I have configured the "Maximum Connect Time" as unlimited in my group policy but when a connection is established it shows a "Conn Time Out: 120 minutes".

The connection does get dropped with this timer.  Any idea how to actually make it unlimited and why it get sets to 120?

I having a problem with SSL phone clients dropping throughout the day and think this may be the cause.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to James Walsh

‎01-07-2011 03:18 PM

Great news. The "old" reboot trick solves the issue.

Please kindly mark your post as answered and rate useful posts so others can learn from your experience too. Thank you.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-06-2011 01:45 PM

Can you please share the output of:

show run group-policy

as well as a screenshot of where it says "Conn Time Out: 120 minutes" pls.

And lastly after you are connected via SSL VPN, please obtain the output of:

show vpn-sessiondb detail svc filter name

Thanks.

0 Helpful

Go to solution
James Walsh
Level 1
Level 1
In response to Jennifer Halim

‎01-06-2011 01:54 PM

Thanks Jennifer. 

All the requested outputs are attached.

78229-ASA-VPN-Timeout.rtf
Preview file
6 KB
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to James Walsh

‎01-06-2011 08:05 PM

Seems like it's taking the default value instead of the modified value under group-policy phonevpn.

What authentication server are you using? and are you also doing ldap attribute mapping? can you share the full configuration pls?

0 Helpful

Go to solution
James Walsh
Level 1
Level 1
In response to Jennifer Halim

‎01-06-2011 08:20 PM

that's exactly what we are seeing.  config attached.  any help is appreciated.

78253-asa-sh run.txt.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to James Walsh

‎01-06-2011 08:57 PM

Config looks perfect.

Can you try the following pls:

group-policy phonevpn attributes
  no vpn-session-timeout none

  vpn-session-timeout 35791394

That's 35791394 minutes == about 68 years.

0 Helpful

Go to solution
James Walsh
Level 1
Level 1
In response to Jennifer Halim

‎01-06-2011 09:00 PM

I've tried that... but only did 720 minutes.  Didn't change. Reconnected and "Conn Time Out: 120 Minutes".  It's won't go higher than that.

any ideas?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to James Walsh

‎01-06-2011 09:06 PM

Sounds like a bug to me..

What about other group-policy (eg: salientvpn), can you try to connect and see if that has the same issue as that group-policy also has "vpn-session-timeout none" configured?

What about create a new tunnel-group and group-policy with the "vpn-session-timeout none", and see if that makes any difference.

0 Helpful

Go to solution
James Walsh
Level 1
Level 1
In response to Jennifer Halim

‎01-06-2011 09:11 PM

It's happening on multiple policies from both phone clients and anyconnect on PC's.

I am with you.  I think it's a bug and am working with TAC right now.  If you have any more thoughts I would love to hear them.

Thanks for all your help!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to James Walsh

‎01-06-2011 10:19 PM

You wouldn't by any chance have reloaded the ASA, have you?

0 Helpful

Go to solution
James Walsh
Level 1
Level 1
In response to Jennifer Halim

‎01-07-2011 06:18 AM

No I have not.  Worth a shot?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to James Walsh

‎01-07-2011 02:56 PM

If it's happening on some policies, but not all, then I would suggest reloading the ASA. But if it's happening to all policies, then I would tend to think it's 99% a bug.

You might also want to try upgrading to the latest version of 8.2.x.

Go to solution
James Walsh
Level 1
Level 1
In response to Jennifer Halim

‎01-07-2011 03:15 PM

I ended up rebooting the ASA this morning and it fixed the issue.  Right away the timeout changed to what I had configured it to be and I was also able to make changes.

Here's the response from TAC.  Thanks for helping with this.  Much appreciated.

"I am glad that the issue was resolved on a reboot. Might be that svc sessions were stuck in the memory for some reason and the same sessions would be invoked every time you connected rather than tearing it down and creating a new svc session.

Once rebooted I believe the sessions stuck in memory were cleared and new sessions came up as a result the issue vanished. I shall surely update you as I have an update from the devs on this."

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to James Walsh

‎01-07-2011 03:18 PM

Great news. The "old" reboot trick solves the issue.

Please kindly mark your post as answered and rate useful posts so others can learn from your experience too. Thank you.

0 Helpful

Go to solution
todd_coughlin
Level 1
Level 1

‎04-18-2012 08:41 AM

I know this is an old thread, but I just got done troubleshooting and issue just like this. Some had actually changed the session-timeout setting on our RADIUS server (Mircosoft IAS on Server 2003). This setting would override the vpn-session-timeout on our ASA. We banged our heads for hours on this one!

0 Helpful
Top