cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9280
Views
5
Helpful
17
Replies

VPN session Timeouts

james.king14
Level 1
Level 1

I have many users that timeout once connected to VPN.  These have shown that from 2 to 34 minutes the connection will drop.  Yet when I look in the configuration of the ASA it shows:

 

group-policy GroupPolicy_unameit-VPN attributes
wins-server none
dns-server value 195.195.195.242 195.195.195.243
dhcp-network-scope 195.195.195.0   " There is not DHCP scope for servers they are static"
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout 720
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value unameit.gov
address-pools value unameit-VPN

webvpn
url-list value Web-Based-Applications
filter none
anyconnect ask none default anyconnect
customization value unameit-Logo
url-entry enable
dynamic-access-policy-record unameit-VPN
description "CAC for VPN users"
priority 1

 

1 Accepted Solution

Accepted Solutions

I rechecked the sessions and we found that simultaneous Logins was set to a
low number now we set to a higher than expected number and it seems to
work. At least for more than 34 minutes


View solution in original post

17 Replies 17

Sheraz.Salim
VIP Alumni
VIP Alumni

change your vpn-idle-timeout to 60 or 120 min.

please do not forget to rate.

Thanks the user is still working, they would be actively working when the
session would disconnection.

Hi,
Does this affect all users connected to the VPN at the sametime? This might indicate an issue with the ASA connection/configuration.

If not the issue could be local to the users (computer or ISP), if you run DART on the local computer and have a look at the logs.

HTH

balaji.bandi
Hall of Fame
Hall of Fame

as per the config 

 

you have set idle time out 30min and 720min (session to drop either idle or acive)

 

the disconnection has other reasons.

 

1. check the logs and see you can find any reasons.

2. this could ISP or DSL or client side connection issue also.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I would be inclined to agree with you on that part but we ran a wireshark instance and found more fun problems.  But this week the server group reloaded all server and now everything times out from 2 minutes to about half a minute.

whats the anyconnect version you running?

and what is the ASA code?

 

Is it happen with a wired or a wireless connection? Also is it possible for you to upgrade a newer Anyconnect version and test?

please do not forget to rate.

Good Morning,

I am running AC 4.6.01

And ASA code 9.8.3

As long as ASA and Any connect concern it was stable and latest as per i know.

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/release/notes/b_Release_Notes_AnyConnect_4_6.html

 

Since you were mentioned due to some other department have recently changed something, is this authentication against LDAP/AD ?

 

or is there any uodate on end device like windows 10 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

We are using only windows 10 devices and our authentication is AD. We are
not allowed to use LDAP anymore.

check the debug Logs at ASA side also by take one user to understand.

 

check / Monitor  your WAN/Internet Bandwidth, Make sure it was not overloaded due to the situation around.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I have been looking at the WAN/LAN connections and monitored the bandwidth. No high usage at this time.  I have the debug logs and nothing stands out?

worth trying upgrade the AC to 4.7 or 4.8

please do not forget to rate.

I did and had to back to 4.6. It made the problem worse!

Once the VPN drops the user it give and error message.

i would like to look what % of users having this issue, if all the users, something definatly wrong at head end, this may required some reboot of the ASA and Enable debug more granular to look the problem.

 

if only less users i may suspect far end internet connection due to market trends most of the ISP and internet links are going saturated also.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help