timeout conn 1:00:00

Unanswered Question
Dec 8th, 2008

I see the following command on my ASA

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Does this apply to VPN users also?

the reason I ask is that some vpn users

are getting dropped after a few minutes

and we dont know why

I see no IDLE timout out in the config

asdm is currently unavailable

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ddawson Wed, 12/10/2008 - 11:20

No, those timeouts don't apply to VPN users. I'd recommend enabling logging on the client software for one or more of the users who are having the problem since the client log tends to be more informative than the corresponding logs in the ASA, and they only apply to that client so you don't have to wade through a bunch of messages that aren't pertinent. Set all the levels to 3, the highest setting, and have the user save the log messages to a file and send them to you when they see the problem. I suspect you'll see messages akin to "remote peer not responding", which points to some sort of connectivity problem between them and the ASA. Otherwise, these users could also be seeing an issue with the forced keepalives. The first question in this article at Cisco's web site talks about this and tells how to turn them off by editing the client .pcf file:



This Discussion