Drawbacks with Always-ON VPN with Anyconnect Solution

Ricky S · ‎03-21-2022

Good morning, we have a large deployment of geographically dispersed Anyconnect VPN access where roughly 2000 users connect remotely each day. For security and resource preservation, I have the VPN connection timeout configured for 12 hours. After 12 hours, the connection must be re-established. This allows me to free up IP addresses on the VPN gateway and is also good for security (in my opinion anyway, why leave a door open if it's not needed?)

Lately, we are getting more and more requests to change that however where they are asking for an always-ON VPN connection for remote access users. Obviously, this won't always work since home internet connections go up and down and other issues. However, I wanted to get the community's take on this. Let me know what you all think.

Cheers

Sheraz.Salim · ‎03-21-2022

Yes. you are right. having so many vpn connection and to free up some space it does make sense both from security and from the free up space.

always on will get vpn connected to the ASA as long as the computer/laptop is power on and connected to internet.

but again you can look something ISE posture of anyconnect to robust your ground and get security more tight with ISE giving you the logging. some thing you can consider?

have a look on Always on there are some option you can take in.

actually cisco document say you can use the ideal timeout on Always on vpn "The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer (specified in the ASA group policy) expires. AnyConnect continually attempts to reestablish the connection to reactivate the session if it is still open; otherwise, it continually attempts to establish a new VPN session. "

please do not forget to rate.

MHM Cisco World · ‎03-21-2022

https://cordero.me/cisco-asa-vpn-timeouts/

check the VPN idle and session timeout.

Mike.Cifelli · ‎03-21-2022

Lately, we are getting more and more requests to change that however where they are asking for an always-ON VPN connection for remote access users.

-Sharing my two cents in regard to always-on. Always-on will increase your security posture ensuring that your domain/enterprise clients when attempting to be used remotely and/or not on a trusted network always attempt a vpn connection back to your trusted network.

Also, there are some considerations you will want to look into such as:

-Will clients require any local/internet access to specific resources that your organization already allows outside of your "trusted network"? If so, you can add an allow list to allow connectivity to desired hosts even if Always-On fails. This gets configured in the vpn profile via this xml tag: <AllowedHosts>

-If users will end up needing to use a captive portal to connect to other lans such as one at a hotel etc. then you will want to enable captive portal support too so that users can locally connect to the respective network and then AC will use Always-On VPN.

-Determine your failure policy that meets your organization needs. See here for more info: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_vpn.html#topic_BD02A53E0A714E23A56850698C830A6C