04-25-2017 12:12 PM
Hey not sure if anyone can help with this but I have a cisco 897 that I am using as a VPN gateway and I can't seem to find documentation on how to change the VPN session timeout. My router seems to be set to 59 minutes and I can seem to change it; I have seen a bunch of post on how to do it on an ASA but those commands don't seem to work on my router. I believe the iOS code I am using is 15.4.
any help would be appreciated
josh
04-25-2017 05:37 PM
Are you referring to the AnyConnect SSL VPN timeout?
04-26-2017 09:47 AM
It isn't the webvpn it is the ipsec vpn.
04-26-2017 12:46 PM
You might be tripping the idle timeout.
You can configure it globally with something like this:
crypto ipsec security-association idle-time 86400
Or per crypto map with something like:
crypto map cm-cryptomap ...
set security-association idle-time 86400
04-26-2017 12:49 PM
I don't think it is likely to be the maximum lifetime, but you could also trying seeing if this has any impact.
Actually the default value for this one is 3600 seconds - 1 hour. So this could be your culprit.
crypto ipsec security-association lifetime seconds 86400
04-26-2017 01:12 PM
I tried the first 2 last night but will try the crypto ipsec tonight and see.
thanks
josh
04-26-2017 07:09 PM
So I just checked my config and here is what I had:
(config)#do sho crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/86400 seconds
(config)# do sho crypto ipsec security-association idle-time
Security association idletime: 14400 seconds
For the crypto map is doesn't let me change the setting, when I try to get in I get this:
crypto map XXXXXXX 1 ipsec-isakmp
Attempt to change dynamic map tag for existing crypto map is ignored.
Not sure where else I can go to make this change.
josh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide