Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5933
Views
20
Helpful
6
Replies

vpn-session-timout for after hours only?

Go to solution
robert.robinson.1
Level 1
Level 1

‎04-10-2019 01:11 PM

I have vpn-session-timeout configured for 1440 minutes and some clients are experiencing problems of being disconnected during the day as their timer expires.  This especially causes problems when they are hosting a webex call and it drops the meeting.

 

I'm aware of the vpn-session-timout alert-interval command, but that is easily missed by end users.  We also can't count on them to check the AnyConnect countdown timer.  Is there any way to schedule a window for session timeout disconnects?  Such that IF the session is over 24 hours AND it is between 2am-5am, then disconnect the session?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-10-2019 09:18 PM

Hi

There's no such planification.
First why not using vpn-idle-timeout command? It will disconnect only if there's no traffic going through the tunnel which means users aren't working anymore and then you can increase your session-timeout.

Then if you have latest version of asa (or a recent one), you can create an EEM script to disconnect anyconnect sessions between 2.00am and 5.00am (it will force a disconnection).
If interested in eem on asa, check this out: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-10-2019 09:15 PM

Why don't you use something like:

 

vpn-idle-timeout 60

vpn-session-timeout none

 

Then if it is an active session it will never get disconnected, and if it goes quiet for an hour you kick them off?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-10-2019 09:18 PM

Hi

There's no such planification.
First why not using vpn-idle-timeout command? It will disconnect only if there's no traffic going through the tunnel which means users aren't working anymore and then you can increase your session-timeout.

Then if you have latest version of asa (or a recent one), you can create an EEM script to disconnect anyconnect sessions between 2.00am and 5.00am (it will force a disconnection).
If interested in eem on asa, check this out: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
robert.robinson.1
Level 1
Level 1
In response to Francesco Molino

‎04-11-2019 12:27 AM

Between background applications and processes like Outlook, Lync, and open browser tabs, I don't think a vpn idle timeout would ever be invoked for clients in my environment.

 

An EEM script, while a bit heavy handed, looks like it would work.  I'll give that a shot.  Thank you! 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to robert.robinson.1

‎04-11-2019 07:14 PM

Ok let me know when you tried EEM

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
robert.robinson.1
Level 1
Level 1
In response to Francesco Molino

‎04-16-2019 10:37 AM

Looks like it works.  I had to use the noconfirm option.  Excluding it prevented any sessions from being disconnected and clients didn't receive any confirmation notice or pop-up.

 

***

event manager applet vpn-session-timeout

  description "disconnect vpn sessions"

  event timer absolute time 2:30:00

  output none

  action 1 cli command "vpn-sessiondb logoff tunnel-group <EMPLOYEE> noconfirm"

  action 2 cli command "vpn-sessiondb logoff tunnel-group <VENDOR> noconfirm"

***

 

sessions.PNG

 

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to robert.robinson.1

‎04-21-2019 09:25 PM

Glad to see the EEM solution worked.
Thanks for all other users to have posted your config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents