12-08-2008 07:33 PM - edited 03-11-2019 07:22 AM
I see the following command on my ASA
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Does this apply to VPN users also?
the reason I ask is that some vpn users
are getting dropped after a few minutes
and we dont know why
I see no IDLE timout out in the config
asdm is currently unavailable
12-10-2008 11:20 AM
No, those timeouts don't apply to VPN users. I'd recommend enabling logging on the client software for one or more of the users who are having the problem since the client log tends to be more informative than the corresponding logs in the ASA, and they only apply to that client so you don't have to wade through a bunch of messages that aren't pertinent. Set all the levels to 3, the highest setting, and have the user save the log messages to a file and send them to you when they see the problem. I suspect you'll see messages akin to "remote peer not responding", which points to some sort of connectivity problem between them and the ASA. Otherwise, these users could also be seeing an issue with the forced keepalives. The first question in this article at Cisco's web site talks about this and tells how to turn them off by editing the client .pcf file:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml
12-10-2008 01:40 PM
great!..will do
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: