Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3886
Views
0
Helpful
2
Replies

How to make VPN client auto timeout when it still idle?

Zhenya Luo
Level 1
Level 1

‎04-08-2012 05:53 AM

How to make VPN client auto disconnect when it still idle?

Hi,I found some user still connected the VPN evenif they dose not use the VPN resouse.

I try to set a "idle timeout" for the VPN configuration.

We use PIX515 8.0.3 and CISCO ACS 4.2 for the VPN's connection and authentication,and the user use cisco vpn client for the connection.

I have tried many methods,but all failured.

First,I configed "vpn-idel-timeout 5" on PIX.It can not worked.

so,I add Radius(CISCO VPN 3000/ASA/PIX 7.0+) attribute "[026/3076/050] Authenticated-User-Idle-Timeout" on CISCO ACS,It still not worked.

And I also add IETF RADIUS Attributes "[028] Idle-Timeout" on group setting on ACS,it always not worked.

i found in vpn client's statistics,it always has some byte sended or received, i thought it maybe IPsec keepalive message or Radius message.

This maybe the reason because the PIX or ACS think the vpn user is keep working.

Can someone tell me how to make a "idle time out"?

best regard.

Roger

Labels:
0 Helpful
2 Replies 2

Zhenya Luo
Level 1
Level 1

‎04-08-2012 05:55 AM

  here is the configuration on PIX,

group-policy DfltGrpPolicy attributes

wins-server value 10.0.0.67 10.0.0.68

dns-server value 10.0.0.67 10.0.0.68

vpn-simultaneous-logins 20

vpn-idle-timeout 5

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-acl

default-domain value mydomain.com

address-pools value vpnpool group-policy DfltGrpPolicy attributes
wins-server value 10.0.0.67 10.0.0.68
dns-server value 10.0.0.67 10.0.0.68
vpn-simultaneous-logins 20
vpn-idle-timeout 5
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-acl
default-domain value want-want.com
address-pools value vpnpool

0 Helpful

david.g.white
Level 1
Level 1
In response to Zhenya Luo

‎04-13-2012 12:59 PM

Inactivity time out on VPN with windows devices connecting to a corporate network is almost impossible.

Something is almost always 'chatting' in the background (active directory /drive mappings / e-mail systems)

A forced re-authentication after a period (12 or 24 hours) is about as good as it gets

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents