12-01-2011 01:08 PM
The Cisco VPN client is disconnected after 4 hours of inactivity. Is there a setting on the ASA that would timeout after 4 hours? I want to disable this setting. I am running IOS 8.2(4).
Thanks.
Diane
12-01-2011 01:30 PM
The Cisco ASA firewalls have a default 30 minute vpn-idle-timeout value configured in the default group policy.
Other than that, the Phase1 and Phase 2 security associations will be deleted after the configured SA lifetime value expires.
I'm curious to know why you'd like the tunnel to remain active even if traffic is not traversing it. As soon as traffic is generated, the IKE negotiation will begin and the tunnel will be established.
The only way to prevent the tunnel from tearing itself down after the lifetime value is reached would be to periodically send traffic across it to force it to rekey as opposed to deleting the SA and remain down until further interesting traffic brings it back up. Static session-keys are (thankfully) no longer supported in ASA 7.x+ code versions
12-01-2011 07:42 PM
The users are running the batch job on the Mainframe. They do not want the idle-timeout.
Is there a way to find out why the Cisco VPN client was disconnected? Thanks.
Diane
12-02-2011 07:19 AM
Sure, if you had VPN class logging enabled then it should be pretty easy to determine by looking at the logs. If not, you should consider enabling the VPN specific logging class.
If you want to globally disable the idle-timeout then you need to enter the following command under the default group policy:
vpn-idle-timeout none
Unless another group policy already had a vpn-idle-timeout set, this value will be inherited by all tunnel groups.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide