02-13-2017 01:13 PM - edited 02-21-2020 09:09 PM
I have an ASA5516X running 9.5(3) without a VPN configuration but a user pointed out to me that she needs to reconnect her Anyconnect VPN after computer sleeps when on a WLAN passing traffic through the aforementioned ASA while the problem isn't present at home or other locations. Is there any setting I can adjust in order to allow the VPN to resume?
The thing that pops to mind is that I have a one hour DHCP lease but also a high client turnover so it makes sens to keep it low.
I'm unfortunately not able to provide details about the Anyconnect setup as it's maintained by a 3rd party.
02-13-2017 03:48 PM
One possibility could be the TCP timeout, which by default is set to 1 hour on the ASA. So if the devices goes to sleep and comes back up after an hour, it might not have an established connection through the ASA, which might require it to start a new connection again. You can set a separate timeout for different traffic flows using MPF on the ASA rather than changing the global default.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68332-pix7x-connection-timeout.html
02-14-2017 01:04 AM
Thanks! I'll give it a try and report back if it worked.
03-01-2017 10:54 AM
I have implemented the following.
access-list outside_mpc_timeout extended permit tcp any any eq https
class-map anyconnectvpn
match access-list outside_mpc_timeout
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
class anyconnectvpn
set connection timeout idle 2:00:00
!
service-policy global_policy interface outside
I guess what I don't like about it is that the anyconnect TCP connection is over SSL 443 so it will include all https traffic. It might make more sense to add the IP addresses of the VPN servers instead but then it requires manual work every time someone has a different VPN provider. There isn't any way to do this by traffic classification, I noted ipsec-pass-thru is available for inspection but would there be some way of adding different timeout based on that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide