Solved: How to notify users when they are timed out?

jparker00001 · ‎02-19-2013

So I am a developer for fortune 500 company and the network infrastructure team came to me with an odd request for an application that taps into Anyconnect. I find it hard to believe that this functionality doesn't exist.

So here is the scenario. We have Anyconnect set up to not have an idle timeout. However we have it set up to disconnect after 12 hours.

Here is the problem. When the end user meets that 12 hours, it just disconnects on them. There are no warning messages, no messages they have been disconnected. Just the connection is terminated.

So my question is there any way to set this up to notify the user they have been disconnected and need to reconnect. Is there a way to notify them in advance that they will be disconnected in say 30 minutes?

They want me to create an application that periodically checks the connection time by executing

C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client>vpncli stats traffic

Getting the time connected then if they are nearing the timeout time then start presenting the user with a warning.

So that's basically my question. Is there no way to set this up in Anyconnect? If we are supposed to see these messages is it something our team might have disabled?

We are using Anyconnect 3.1.01065 on Windows XP and Windows 7

Michael Muenz · ‎03-01-2013

You don't have an idle timeout but will force disconnect after 12 hours? Does this really makes sense?

There's no way to do this with AnyConnect.

I'd try to script it with SNMP queries (if available) or generell query ASA vpn status centrally. Then you could send netsend's via NetBIOS ...

Also you could try to script inside AnyConnect "on-connect":

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1068902

Michael Please rate all helpful posts

View solution in original post

Michael Muenz · ‎03-01-2013

You don't have an idle timeout but will force disconnect after 12 hours? Does this really makes sense?

There's no way to do this with AnyConnect.

I'd try to script it with SNMP queries (if available) or generell query ASA vpn status centrally. Then you could send netsend's via NetBIOS ...

Also you could try to script inside AnyConnect "on-connect":

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1068902

Michael Please rate all helpful posts

jparker00001 · ‎03-01-2013

>> You don't have an idle timeout but will force disconnect after 12 hours? Does this really makes sense?

Actually yes, at least in our environment. Using Citrix applications and VT Terminal applicaitons they need a constant connection. If the user disconnected say via an Idle Timeout then their sessions into these applications can and will hang. Not only that the older VT terminal sessions if hung durring a process that locks records or tables then it is locked for everyone. They have to call our helpdesk and have them kill the user. Citrix gets a little wacky as well if the user just blinly disconnects. So idle timeouts are actually a bad thing. Also a user might through a terminal session or though a citrix connection start a long run transaction. For example a blueprint sent off to a render farm could take 3-4 hours to render some have even take 10 hours. So a user may start a process and then go away especially on the weekend.

So while there are issues with the internet in general that can cause disconnects most of this software will try reconnecitng from the server to the client everal times before finally giving up. So a quick break in internet connectivity is not an issue, a idle timeout where it doesn't reconnect until the user returns doesn't work.

Thanks for the link though, that will help