Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
12
Replies

FTD RAVPN – VPN session Timeout config issue

Go to solution
uRLKuzE
Level 1
Level 1

‎05-19-2026 01:35 AM

Dear community,

I have a strange behavior with the VPN session timeout configuration of our RAVPN (running on FTD 7.6.4, managed by FMC).

At first, it was set as unlimited on the FMC (appeared as vpn-session-timeout none on the running configuration of the FTD) but I saw the session duration was 720 min (appeared as much on the Secure Client and in the session information on the FTD cli).

So, to expand the session duration, I’ve changed it on FMC to 2880 minutes, and it reflects on the configuration of my group policy:

group-policy GROUP-POLICY attributes

 banner none

 wins-server none

 dns-server value x.x.x.x x.x.x.x

 dhcp-network-scope none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-idle-timeout alert-interval 1

 vpn-session-timeout 2880

 vpn-session-timeout alert-interval 1

But, looking on the secure client and on the session on the FTD, I see that my session duration is still 720 min on my session:

SSL-Tunnel:

  Tunnel ID    : 1919.2

  Assigned IP  : x.x.x.x                 Public IP    : x.x.x.x

  Encryption   : AES-GCM-128            Hashing      : SHA256                

  Ciphersuite  : TLS_AES_128_GCM_SHA256                           

  Encapsulation: TLSv1.3                TCP Src Port : 52308                 

  TCP Dst Port : 443                    Auth Mode    : Certificate and userPassword

  Idle Time Out: 30 Minutes             Idle TO Left : 5 Minutes             

  Conn Time Out: 720 Minutes            Conn TO Left : 695 Minutes           

  Client OS    : Windows               

  Client Type  : SSL VPN Client

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 5.1.14.145

  Bytes Tx     : 7573                   Bytes Rx     : 173                   

  Pkts Tx      : 1                      Pkts Rx      : 1                     

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

  Filter Name  : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

DTLS-Tunnel:

  Tunnel ID    : 1919.3

  Assigned IP  : x.x.x.x                 Public IP    : x.x.x.x

  Encryption   : AES-GCM-256            Hashing      : SHA384                

  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384                    

  Encapsulation: DTLSv1.2               UDP Src Port : 63567                 

  UDP Dst Port : 443                    Auth Mode    : Certificate and userPassword

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes            

  Conn Time Out: 720 Minutes            Conn TO Left : 695 Minutes           

  Client OS    : Windows               

  Client Type  : DTLS VPN Client

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 5.1.14.145

  Bytes Tx     : 48949566               Bytes Rx     : 13561931              

  Pkts Tx      : 55657                  Pkts Rx      : 37810                 

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

  Filter Name  : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

I’ve looked on the documentation and on the device itself, and I can’t find where those 720 might be configured. It doesn’t seem to be a parameter on the Secure Client either, I don’t see how I can configure it via the VPN editor.

Do you have an idea of what’s going on here ? Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to uRLKuzE

‎05-23-2026 06:35 AM

Hello @uRLKuzE ,

I've seen this line "Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3" which is sent from ISE, im pretty sure the session-timeout value is overriden by ISE, check your authorization profile and make sure the reauthentication is not checked, because RADIUS will override the GP value with "av pair session-timeout".

The Authz profile should not be assigned to other authorizations policies to avoid any impact, if so create a new one.

You can also control remote vpn session/idle timeouts from ISE based on users/groups.

If this resolved your issue, please mark it as "Accepted as a solution"!

Regards!

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Kasun Bandara
VIP
VIP

‎05-19-2026 02:34 AM

hi @uRLKuzE , after changes, did client reconnected to the VPN? if not try reauthenticating and check the tunnel information.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Go to solution
uRLKuzE
Level 1
Level 1
In response to Kasun Bandara

‎05-19-2026 04:27 AM

Yes, I reauthenticated, even rebooted the device but the session time out doesn't change. Every new user who has connected to the VPN still have their session time out to 720 minutes. 

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎05-19-2026 02:35 AM

Hello @uRLKuzE ,

Under remote vpn configuration did you reference in group policy "GROUP-POLICY" instead of default group policy?

Regards!

0 Helpful

Go to solution
uRLKuzE
Level 1
Level 1
In response to Amine ZAKARIA

‎05-19-2026 04:29 AM

Yes, "GROUP-POLICY" is the one configured on our connection profile used by every users, and all have the issue with the timeout still at 720 minutes. 

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to uRLKuzE

‎05-19-2026 06:50 AM - edited ‎05-19-2026 06:51 AM

@uRLKuzE 

I will test it tonight in my lab, and let you know.

Regards!

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to uRLKuzE

‎05-19-2026 12:54 PM

@uRLKuzE ,

I did lab it and worked without issue!

AmineZAKARIA_1-1779220277390.png

Could you share with me the full output of "sh vpn-Sessiondb Detail anyconnect" with a hidden public ip/username field ?

Regards!

0 Helpful

Go to solution
uRLKuzE
Level 1
Level 1

‎05-20-2026 04:42 AM

Thanks for your test, below the output of my current session, and also the configuration of my group policy in which I've configured the timeout to 2880:

Session Type: AnyConnect Detailed

Username : xxxx Index : 2134
Assigned IP : x.x.x.x Public IP : x.x.x.x
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-128 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14496084 Bytes Rx : 4299538
Pkts Tx : 18874 Pkts Rx : 12355
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GROUP-POLICY Tunnel Group : VPN
Login Time : 11:24:06 UTC Wed May 20 2026
Duration : 0h:01m:29s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : d9465712008560006a0d99d6
Security Grp : 21 Tunnel Zone : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 2134.1
Public IP : x.x.x.x
Encryption : none Hashing : none
TCP Src Port : 49959 TCP Dst Port : 443
Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 720 Minutes Conn TO Left : 718 Minutes
Client OS : win
Client OS Ver: 10.0.22631
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.14.145
Bytes Tx : 7574 Bytes Rx : 0
Pkts Tx : 1 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID : 2134.2
Assigned IP : x.x.x.x Public IP : x.x.x.x
Encryption : AES-GCM-128 Hashing : SHA256
Ciphersuite : TLS_AES_128_GCM_SHA256
Encapsulation: TLSv1.3 TCP Src Port : 50167
TCP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
Conn Time Out: 720 Minutes Conn TO Left : 718 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.14.145
Bytes Tx : 7574 Bytes Rx : 173
Pkts Tx : 1 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

DTLS-Tunnel:
Tunnel ID : 2134.3
Assigned IP : x.x.x.x Public IP : x.x.x.x
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 55577
UDP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Conn Time Out: 720 Minutes Conn TO Left : 718 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.14.145
Bytes Tx : 14480936 Bytes Rx : 4299365
Pkts Tx : 18872 Pkts Rx : 12354
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3

group-policy GROUP-POLICY attributes
banner none
wins-server none
dns-server value x.x.x.x
dhcp-network-scope none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout 2880
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list value Local_Lan_Access
default-domain value encara.local.ads
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
vlan none
address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules value none
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable

 

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to uRLKuzE

‎05-23-2026 06:35 AM

Hello @uRLKuzE ,

I've seen this line "Filter Name : #ACSACL#-IP-PERMIT_ALL_TRAFFIC-57f6b0d3" which is sent from ISE, im pretty sure the session-timeout value is overriden by ISE, check your authorization profile and make sure the reauthentication is not checked, because RADIUS will override the GP value with "av pair session-timeout".

The Authz profile should not be assigned to other authorizations policies to avoid any impact, if so create a new one.

You can also control remote vpn session/idle timeouts from ISE based on users/groups.

If this resolved your issue, please mark it as "Accepted as a solution"!

Regards!

0 Helpful

Go to solution
uRLKuzE
Level 1
Level 1
In response to Amine ZAKARIA

‎05-26-2026 11:03 PM

Thank you. I thought about it by the authorization profile we're using is not configured for reauthentications or with the radius session-timeout value:

uRLKuzE_0-1779861793029.png

I've opened a tac case about this, I'll keep you  updated. 

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to uRLKuzE

‎05-27-2026 03:21 AM - edited ‎05-27-2026 04:10 AM

Hello @uRLKuzE ,

Are you sure it is matching the correct authorization policy that has the AuthZ profile shown ?

The last catch up i would do, is launch a tcpdump from ISE gui with the host filter for the NAS ip which is the FTD radius sourced ip for authentication and see if these values sent by ISE to the FTD.

Feel free to PM me if you want to analyse that tcpdump.

Thanks!

0 Helpful

Go to solution
uRLKuzE
Level 1
Level 1
In response to Amine ZAKARIA

‎05-27-2026 04:27 AM

Ok, found it!

It was on the first AuthZ profile matched, the one that triggers the posture check of the user's device, in this one reauthentication is configured at 720 minutes, I don't know why:

uRLKuzE_0-1779881243268.png

I'll see to change that, thank you very much for your help. 

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to uRLKuzE

‎05-27-2026 04:51 AM

@uRLKuzE 

Glad to help!

0 Helpful
Customers Also Viewed These Support Documents