03-22-2010 12:14 PM
Hello,
I have setup VPN access on a 2801 (IOS 12.4.24T2) and use VPN client 5.00.06.160.
The remote access works great except that the users are prompted to re-enter credential every 48 mins.
I discovered that it is linked to the life time of the isakmp sa and that 48 mins (2880 secs) seems to be a kind of pre-end of life for the sa.
We are using radius to authenticate users.
I could extend the life of the isakmp to a high value but I would prefer that the rekey does not prompt my users to re-authenticate.
Can this be done ?
Any help will be greatly appreciated.
Didier
03-22-2010 03:50 PM
I believe what you can do is set the isakmp lifetime for something like 86400 (1 day) and then specify an idle timeout and/or session timeout within the ipsec vpn paramaters depending on how long you want their sessions to stay active. (ASA firewall has vpn-idle-timeout and vpn-session-timeout commands, IOS is slightly different.) Cisco has a good doc for troubleshooting that has some of the commands listed. Hope that helps.
03-23-2010 06:23 AM
Hello,
Unfortunately, I need the connections to be up more than 24 hours. Changing the life time to the maximum (24h) would just limit the number of user complains.
In fact, if I could find a way to have isakmp rekey done without requiring the user to re-authenticate, that would be the ideal. Could it be one of the radius attributes ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide