04-10-2019 01:11 PM
I have vpn-session-timeout configured for 1440 minutes and some clients are experiencing problems of being disconnected during the day as their timer expires. This especially causes problems when they are hosting a webex call and it drops the meeting.
I'm aware of the vpn-session-timout alert-interval command, but that is easily missed by end users. We also can't count on them to check the AnyConnect countdown timer. Is there any way to schedule a window for session timeout disconnects? Such that IF the session is over 24 hours AND it is between 2am-5am, then disconnect the session?
Solved! Go to Solution.
04-10-2019 09:18 PM
04-10-2019 09:15 PM
Why don't you use something like:
vpn-idle-timeout 60
vpn-session-timeout none
Then if it is an active session it will never get disconnected, and if it goes quiet for an hour you kick them off?
04-10-2019 09:18 PM
04-11-2019 12:27 AM
Between background applications and processes like Outlook, Lync, and open browser tabs, I don't think a vpn idle timeout would ever be invoked for clients in my environment.
An EEM script, while a bit heavy handed, looks like it would work. I'll give that a shot. Thank you!
04-11-2019 07:14 PM
04-16-2019 10:37 AM
Looks like it works. I had to use the noconfirm option. Excluding it prevented any sessions from being disconnected and clients didn't receive any confirmation notice or pop-up.
***
event manager applet vpn-session-timeout
description "disconnect vpn sessions"
event timer absolute time 2:30:00
output none
action 1 cli command "vpn-sessiondb logoff tunnel-group <EMPLOYEE> noconfirm"
action 2 cli command "vpn-sessiondb logoff tunnel-group <VENDOR> noconfirm"
***
04-21-2019 09:25 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: