Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1693
Views
0
Helpful
1
Replies

If anyconnect session is interrupted, he fails to connect due to IP conflict during 30mn

Go to solution
Cisco Support Exaprobe
Level 1
Level 1

‎07-17-2018 12:27 AM - edited ‎03-12-2019 05:28 AM

Hi all,

We have a standalone ASA v9 working as Remote Access VPN concentrator, the users (with anyconnect) connect just fine

In order to assign same static ip address to each user every time when he connect to network via AnyConnect client, we have configured a radius authentication for Anyconnect users, and Framed-IP-Address attribute is used to assign fixed IP address.

All is working fine.

 

Here is the issue:

If anyconnect session is interrupted for the user Bob (For example, there is a connectivity issue), Bob is not able to gain access during 30mn.

If we perform the command « vpn-sessiondb logoff name Bob », the user does not have to wait 30 minutes.

 

From the Cisco asa, we have the log “Unable to assign AAA provided IP addess (xxxxx) to Client. This IP address has already been assigned by AAA”

 

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-17-2018 03:06 AM

This is expected. The ASA keeps the Parent session active in the event that the client tries to reconnect back with the same session info. The default idle timeout is 30 minutes before it marks this session for deletion. You can reduce the idle-timeout in the group-policy to reduce this value to a lower one like 5 minutes. Test this out in a separate group-policy and check what value works for you. 

 

More info on Anyconnect timers here:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc19

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-17-2018 03:06 AM

This is expected. The ASA keeps the Parent session active in the event that the client tries to reconnect back with the same session info. The default idle timeout is 30 minutes before it marks this session for deletion. You can reduce the idle-timeout in the group-policy to reduce this value to a lower one like 5 minutes. Test this out in a separate group-policy and check what value works for you. 

 

More info on Anyconnect timers here:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc19

0 Helpful
Customers Also Viewed These Support Documents