Remote VPN client session disconnects after being idle for 5 minutes

Unanswered Question
May 21st, 2008

I have a problem with my remote vpn client setup that everytime I became idle for 5 minutes my remote vpn connection is being disconnected. But the PIX firewall is configured to use the default idle timeout which is 30 minutes.

I'm using the following software for this setup:

Client: Cisco VPN client ver 4.8.02

Server: PIX 515E, ver 8.0(2)

Following is the global timeout settings in firewall:

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

Any suggestions?

Thanks,

Mahlory

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shmathur Wed, 05/21/2008 - 02:57

These global timeout settings are not relevant for VPN timeouts.

On the group policy in question, please add the following statement:

group-policy attributes

vpn-idle-timeout none

HTH

jblackorby Wed, 05/21/2008 - 07:55

Check the group-policy specific timeout:

group-policy clientgroup attributes

vpn-idle-timeout 20

mahlory_2002 Wed, 05/21/2008 - 18:26

Hi,

I tried to set the group-policy specific timeout as below:

group-policy DfltGrpPolicy attributes

vpn-idle-timeout 50

Still my vpn session timeout after idle of 5 minutes.

Thanks,

Mahlory

mahlory_2002 Wed, 05/21/2008 - 19:08

I noticed that if I set the timeout less than 5 minutes the timeout settings works but if the timeout is more than 5 minutes ie. 10, 20, 30, 60 mins, the vpn session still disconnects after 5 minutes.

From my vpn client logs I can see that the VPN gateway sends a RST to close the connection after 5 minutes idle.

Is this a bug or there is some other settings in the firewall that I need to check?

Regards,

Mahlory

tony.mormile Thu, 05/29/2008 - 10:08

I had the same issue.

Documentation says to edit Group policy.

As you are aware, it does not change the behavior.

I found a solution using the ASDM.

Go to Configuration, VPN, General.

Edit the Tunnel Group, select the IPSec tab, and change the ISAKMP Keepalive.

I changed the Monitor keepalives, Confidence Interval to 1800 (seconds) kept the retry at 2.

Apply and Save changes.

test your vpn client.

Mine stayed connected for 29 min and change before disconnect.

Hope this helps.

Actions

This Discussion