Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4458
Views
5
Helpful
3
Replies

Cisco Anyconnect not resuming after computer sleep over non-vpn firewall

emily00001
Level 1
Level 1

‎02-13-2017 01:13 PM - edited ‎02-21-2020 09:09 PM

I have an ASA5516X running 9.5(3) without a VPN configuration but a user pointed out to me that she needs to reconnect her Anyconnect VPN after computer sleeps when on a WLAN passing traffic through the aforementioned ASA while the problem isn't present at home or other locations. Is there any setting I can adjust in order to allow the VPN to resume?

The thing that pops to mind is that I have a one hour DHCP lease but also a high client turnover so it makes sens to keep it low.

I'm unfortunately not able to provide details about the Anyconnect setup as it's maintained by a 3rd party.

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-13-2017 03:48 PM

One possibility could be the TCP timeout, which by default is set to 1 hour on the ASA. So if the devices goes to sleep and comes back up after an hour, it might not have an established connection through the ASA, which might require it to start a new connection again. You can set a separate timeout for different traffic flows using MPF on the ASA rather than changing the global default.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68332-pix7x-connection-timeout.html

emily00001
Level 1
Level 1
In response to Rahul Govindan

‎02-14-2017 01:04 AM

Thanks! I'll give it a try and report back if it worked.

0 Helpful

emily00001
Level 1
Level 1
In response to Rahul Govindan

‎03-01-2017 10:54 AM

I have implemented the following.

access-list outside_mpc_timeout extended permit tcp any any eq https

class-map anyconnectvpn
  match access-list outside_mpc_timeout

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
  inspect icmp
class anyconnectvpn
  set connection timeout idle 2:00:00
!

service-policy global_policy interface outside

I guess what I don't like about it is that the anyconnect TCP connection is over SSL 443 so it will include all https traffic. It might make more sense to add the IP addresses of the VPN servers instead but then it requires manual work every time someone has a different VPN provider. There isn't any way to do this by traffic classification, I noted ipsec-pass-thru is available for inspection but would there be some way of adding different timeout based on that?

0 Helpful
Customers Also Viewed These Support Documents