VPN Client to PIX idle-time and max-time

chan-kuen.hui · ‎09-22-2005

Dear All,

I used vpn client to connect to PIX firewall.

vpngroup abc idle-time 1800

After I connect to PIX and do not have any traffic for more that a hour, the vpn connection did not disconnect.

Is the idle-time use to disconnect the vpn connection after the idle-time?

or I need to use vpngroup abc max-time to disconnect user connection?

Thanks.

C.K.

gfullage · ‎09-22-2005

You have to be careful with idle-time and especially when using Windows PC's. They generally send broadcasts and all sorts of traffic (Netbios, Windows networking, etc) in the background without you actually doing something on the PC. If any of these packets traverse the VPN then that is considered traffic and the idle time is reset.

To see if your tunnel is actually idle, check the statistics on the tunnel when you stop working on the PC, and then check it 10 minutes later, I'll pretty much guarantee that some data has gone over the tunnel in that time. There's nothing we can do about this from a Cisco standpoint, it is how Windows works, and there's no way we can differentiate between background traffic and actual user-initiated traffic.

Max-time will definately disconnect them after the time period, but then you run the risk of a user being right in the middle of actually working when they get disconnected.

winchell · ‎09-26-2005

one thing to do might be to set a maximum security-association time,

if you wnat them disconnected after an hour, set that in your crypto map settings.

idle times are really touch, and rarely work without VERY specific access-lists.

-G