07-17-2018 12:27 AM - edited 03-12-2019 05:28 AM
Hi all,
We have a standalone ASA v9 working as Remote Access VPN concentrator, the users (with anyconnect) connect just fine
In order to assign same static ip address to each user every time when he connect to network via AnyConnect client, we have configured a radius authentication for Anyconnect users, and Framed-IP-Address attribute is used to assign fixed IP address.
All is working fine.
Here is the issue:
If anyconnect session is interrupted for the user Bob (For example, there is a connectivity issue), Bob is not able to gain access during 30mn.
If we perform the command « vpn-sessiondb logoff name Bob », the user does not have to wait 30 minutes.
From the Cisco asa, we have the log “Unable to assign AAA provided IP addess (xxxxx) to Client. This IP address has already been assigned by AAA”
Regards
Solved! Go to Solution.
07-17-2018 03:06 AM
This is expected. The ASA keeps the Parent session active in the event that the client tries to reconnect back with the same session info. The default idle timeout is 30 minutes before it marks this session for deletion. You can reduce the idle-timeout in the group-policy to reduce this value to a lower one like 5 minutes. Test this out in a separate group-policy and check what value works for you.
More info on Anyconnect timers here:
07-17-2018 03:06 AM
This is expected. The ASA keeps the Parent session active in the event that the client tries to reconnect back with the same session info. The default idle timeout is 30 minutes before it marks this session for deletion. You can reduce the idle-timeout in the group-policy to reduce this value to a lower one like 5 minutes. Test this out in a separate group-policy and check what value works for you.
More info on Anyconnect timers here:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide