Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
39979
Views
20
Helpful
3
Replies

unlimited idle timeout, but idle timeout session is 30 minutes

Go to solution
gdspa
Level 1
Level 1

‎09-09-2010 06:03 AM

Hi all,

I am connecting with Anyconnect client to a ASA5510(8.2.1(11))

In the group policy I have idle timeout = unlimited, but if I control the session in asdm and in command line

I find idle timeout=30 minutes.

If I insert idle timeout = 60 in the policy, in the session I see Idle timeout =60 min.

Is there only a problem in the visualization of the session?

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎09-09-2010 06:59 AM

Setting the "vpn-idle-timeout none" command from the group-policy is a misunderstood command. When it is set in the group-policy it does not disable the idle-timeout. In the past I filed a bug to clarify what this setting does (see CSCsm15079) to clarify the misunderstanding. In newer versions of code with the bug fix, the command sensitive help now properly explains it:

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:

<1-35791394>  Number of minutes

none          IPsec VPN: Disable timeout and allow an unlimited idle period;

SSL VPN: Use value of default-idle-timeout

When it is set to none, and you are using SSL VPN, it means it will inherit the default-idle-timeout that is set under the Webvpn config. The default for this command is 30 minutes, so thats probably why ASDM is displaying 30 minutes. If you would like to adjust this value, it can be changed with:

conf t

webvpn

     default-idle-timeout


If you would like an "unlimited" idle time, you should set the vpn-idle-timeout in the group-policy to a specific number instead of "none" -- the maximum you can set with  the vpn-idle-timeout command is 35791394 minutes (something like ~24000  days or essentially unlimited).

Please rate this post and mark it as resolved if it has addressed the issue.

View solution in original post

3 Replies 3

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎09-09-2010 06:59 AM

Setting the "vpn-idle-timeout none" command from the group-policy is a misunderstood command. When it is set in the group-policy it does not disable the idle-timeout. In the past I filed a bug to clarify what this setting does (see CSCsm15079) to clarify the misunderstanding. In newer versions of code with the bug fix, the command sensitive help now properly explains it:

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:

<1-35791394>  Number of minutes

none          IPsec VPN: Disable timeout and allow an unlimited idle period;

SSL VPN: Use value of default-idle-timeout

When it is set to none, and you are using SSL VPN, it means it will inherit the default-idle-timeout that is set under the Webvpn config. The default for this command is 30 minutes, so thats probably why ASDM is displaying 30 minutes. If you would like to adjust this value, it can be changed with:

conf t

webvpn

     default-idle-timeout


If you would like an "unlimited" idle time, you should set the vpn-idle-timeout in the group-policy to a specific number instead of "none" -- the maximum you can set with  the vpn-idle-timeout command is 35791394 minutes (something like ~24000  days or essentially unlimited).

Please rate this post and mark it as resolved if it has addressed the issue.

Go to solution
gdspa
Level 1
Level 1
In response to hdashnau

‎09-10-2010 06:09 AM

Thank you for your explanation.

The bug is not really solved, even if in the schedule of the bug toolkit I find it is fixed in version 8.2(1), I am using 8.2(1)11.

It is solved for ipsec, not for ssl vpn.

0 Helpful

Go to solution
hdashnau
Cisco Employee
Cisco Employee
In response to gdspa

‎09-10-2010 06:23 AM

The bug is for clarification only; The fix for the bug does not change the behavior/functionality of the vpn-idle-timeout for IPSec nor for

SSL.

The bugs intention was to document what the expected behavior should be in the command line as prior to the bug fix the explanation was not correct. Heres what the bug fix did:

In the versions of code without the bug fix the command sensitive help incorrectly stated:

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:
  <1-35791394>  Number of minutes
  none          Disable timeout and allow an unlimited idle period

In the versions of the code with the bug fix the command sensitive help correctly states the expected behavior (If you are not seeing this in your 8.2.1.11 code let me know):

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:
  <1-35791394>  Number of minutes
  none          IPsec VPN: Disable timeout and allow an unlimited idle period;
                SSL VPN: Use value of default-idle-timeout


-heather

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents