cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4696
Views
20
Helpful
6
Replies

vpn-session-timout for after hours only?

I have vpn-session-timeout configured for 1440 minutes and some clients are experiencing problems of being disconnected during the day as their timer expires.  This especially causes problems when they are hosting a webex call and it drops the meeting.

 

I'm aware of the vpn-session-timout alert-interval command, but that is easily missed by end users.  We also can't count on them to check the AnyConnect countdown timer.  Is there any way to schedule a window for session timeout disconnects?  Such that IF the session is over 24 hours AND it is between 2am-5am, then disconnect the session?

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor
Hi

There's no such planification.
First why not using vpn-idle-timeout command? It will disconnect only if there's no traffic going through the tunnel which means users aren't working anymore and then you can increase your session-timeout.

Then if you have latest version of asa (or a recent one), you can create an EEM script to disconnect anyconnect sessions between 2.00am and 5.00am (it will force a disconnection).
If interested in eem on asa, check this out: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

Philip D'Ath
Advisor
Advisor

Why don't you use something like:

 

vpn-idle-timeout 60

vpn-session-timeout none

 

Then if it is an active session it will never get disconnected, and if it goes quiet for an hour you kick them off?

Francesco Molino
VIP Mentor VIP Mentor
VIP Mentor
Hi

There's no such planification.
First why not using vpn-idle-timeout command? It will disconnect only if there's no traffic going through the tunnel which means users aren't working anymore and then you can increase your session-timeout.

Then if you have latest version of asa (or a recent one), you can create an EEM script to disconnect anyconnect sessions between 2.00am and 5.00am (it will force a disconnection).
If interested in eem on asa, check this out: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Between background applications and processes like Outlook, Lync, and open browser tabs, I don't think a vpn idle timeout would ever be invoked for clients in my environment.

 

An EEM script, while a bit heavy handed, looks like it would work.  I'll give that a shot.  Thank you! 

Ok let me know when you tried EEM

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Looks like it works.  I had to use the noconfirm option.  Excluding it prevented any sessions from being disconnected and clients didn't receive any confirmation notice or pop-up.

 

***

event manager applet vpn-session-timeout

  description "disconnect vpn sessions"

  event timer absolute time 2:30:00

  output none

  action 1 cli command "vpn-sessiondb logoff tunnel-group <EMPLOYEE> noconfirm"

  action 2 cli command "vpn-sessiondb logoff tunnel-group <VENDOR> noconfirm"

***

 

sessions.PNG

 

Glad to see the EEM solution worked.
Thanks for all other users to have posted your config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers