Hi everyone, I have been working on my technical writing skills recently, and saw an opportunity to write while troubleshooting an AnyConnect idle timeout issue. While the official documentation states everything I have below, for my understanding it helped to write everything out, including a demonstration of how the timers work. I welcome any corrections or pointers anyone may have.
Setting idle timeouts for Cisco AnyConnect can be tricky. Thankfully if approaching it from the correct angle it can be easy.
Our starting code does not contain any type of timeout. This connection will stay up as long as the machine is not asleep. Our objective here is to set a 15 minute idle timeout, so let’s look at how we do that.
In this instance idle is defined as any traffic sent across the tunnel. We are only capturing traffic going to the 192.168.0.0/24 subnet, any other traffic will be ignored.
A user can be actively using thire machine, and as long as they are not accessing resources behind that network the VPN will time out.
Approximate time from idle to timeout: 15 minutes.
While this approach works, its has one glaring problem, it is missing local DNS. If that is something you can live without, great, otherwise we will need to specify a DNS server on the AnyConnect connection.
Let’s add 192.168.0.1 as the DNS server.
group-policy anyconnect-group-policy attributes
dns-server value 192.168.0.1
Now 192.168.0.1 will act as the primary DNS server for any machine connected via AnyConnect. Any DNS queries will travel across the tunnel, keeping it active even if no vpn resources are currently being accessed. There are usually dns queries going on in the background that will keep the tunnel active after the machine goes “idle”. In field experience, this amounts to roughly 3 minutes. To accommodate for this we will adjust the idle timeout value by 3 minutes. Thankfully the 3 minute rule of thumb appears to stay the same even as you scale the time up and down.
You can stop at this point, however it leaves out a few very useful features.
SSL Dead Peer Detection (DPD) checks for dead peers, usually your host ASA on your AnyConnect session. DPD will generate traffic at regular intervals during the VPN session. This traffic will reset the idle timeout counter. The DPD time value has to be higher than the idle timeout, otherwise DPD traffic will keep the tunnel open indefinitely. Why do I need DPD?
Because DPD is measured in seconds, we will set its value to 1200, or 20 minutes
Let T be time until VPN timeout
Min T = Timeout Value
12 = 12
Max T = Timeout value + Timeout value + DNS offset
27 = 12 + 12 + 3
Average T = Timeout value + DNS offset
15 = 12 + 3
Average T = 15
But were not done yet, let’s also add SSL Rekeys onto our profile. An SSL Rekey changes the SSL key mid-session. This can help prevent a man-in-the-middle attack from snooping on encrypted data. SSL Rekeys are measured in minutes. A rekey is recommended at 30 minute intervals, so we will do 30 minutes. Keep in mind that the rekey must be longer than the timeout period, otherwise it will keep the session open.
We can see that our average timeout is still going to be 15 minutes. Assuming that DPD will generate traffic during this time period we now have a timeout window between 12 and 27 minutes, with an average of 15.
Cisco Umbrella is one of the most interesting cisco security solutions. Basically, Umbrella is a cloud based solution and a big DNS Services It all starts with DNS and Precedes file execution and IP connection. Which means that Umbrella blocks malicious ...
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...