RA Group Policy : vpn-idle-timeout Vs vpn-session-timeout

Unanswered Question
Feb 6th, 2009

Hi All,

What exactly the difference between vpn-idle-timeout Vs vpn-session-timeout under RA VPN group policy? I went thru the command reference guide, but still confused.

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/uz_711.html#wp1316206

If I have the below config..

group-policy TEST attributes

vpn-idle-timeout 1440

vpn-session-timeout none

Does the remote users VPN session ever disconnects even though there was no traffic acctivity after 24hrs? What takes priority and What are the recomended values..?

TIA

MS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Ivan Martinon Fri, 02/06/2009 - 10:42

VPN Idle timeout is the max time out that the client can have with no activity, idle connection, meaning when not passing any traffic.

VPN Session timeout is the maximum time that this vpn client will be allowed to remain connected, regardless of whether it is passing traffic or not.

mvsheik123 Fri, 02/06/2009 - 11:29

Hi Ivan,

Thanks for the reply. So if the below config is existing for RA vpn config, even after 24hrs idle connection (no traffic passing) the session remains 'connected' as "vpn-session-timeout" set to none?

vpn-session-timeout value takes priority over idle-timeout value?

group-policy TEST attributes

vpn-idle-timeout 1440

vpn-session-timeout none

TIA

MS

Ivan Martinon Fri, 02/06/2009 - 12:35

No, whatever is reached first will be kicking in, so for instance in your setup after 1 day of not passing traffic the IDLE timeout will kick in, since session timeout is not configured then idle should kick in.

mvsheik123 Fri, 02/06/2009 - 12:55

Thanks again Ivan. I am testing this infact, I see the user has been on over 3days...

*****************************

group-policy TEST attributes

vpn-idle-timeout 1440

vpn-session-timeout none

Username : Test123

Index : 7

Assigned IP : 192.168.1.60 Public IP : 68.23.41.27

Protocol : IPSecOverNatT

Bytes Tx : 300620590 Bytes Rx : 61534790

Client Type : WinNT Client Ver : 4.8.00.0440

Group Policy : DfltGrpPolicy

Tunnel Group : TEST

Login Time : 22:30:04 EST Mon Feb 2 2009

Duration : 3d 17h:19m:18s

Filter Name :

**************************

This means users has been passing the traffic before the 24hrs window elapsed and that keeping the session up over 3days...?

TIA

MS

Ivan Martinon Fri, 02/06/2009 - 13:44

yep, to be honest with you, it is rather strange when a client even when idle stops passing traffic, windows workstation typically send traffic over and over, even when idle.

mvsheik123 Fri, 02/06/2009 - 14:14

Great. Thank you.. Last question.. I configrued a seperate group policy (than DfltGrpPolicy) and applied it under tunnel-group. But still the client taking the DfltGrpPolicy (dns options & Split-tunnel N/W were taking from configured group). Client takes the first one in the list..? if so, can I remove the Default group one..?

Please see below.. ASA Ver 7.1 (1)

************************

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 1440

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

!

group-policy TEST internal

group-policy TEST attributes

dns-server value 192.168.10.16

192.168.29.17

vpn-idle-timeout 1440

vpn-session-timeout none

split-tunnel-policy tunnelspecified

split-tunnel-network-list value

SPLIT_TUNNEL

backup-servers keep-client-config

!

tunnel-group TESTVPN type ipsec-ra

tunnel-group TESTVPN general-attributes

address-pool TESTPOOL

authentication-server-group (outside)

sdi

default-group-policy TEST

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *

************************************

TIA

MS

Ivan Martinon Fri, 02/06/2009 - 14:26

The default group-policy cannot be removed, and the client should get the one that is assinged to the tunnel-group, go ahead and get the "show vpn-sessiondb detail remote" when the user is connected, you should see there what group policy is taken. One thing to notice is that when there are not defined attributes on the specific group-policy, say the TEST one, then it will inherit the values from the default one.

mvsheik123 Fri, 02/06/2009 - 16:45

Thank you. The same o/p already posted in the above threads.. or please see below..

Username : TEST123

Index : 7

Assigned IP : 192.168.1.60 Public IP : 67.23.41.27

Protocol : IPSecOverNatT Encryption : AES128

Hashing : MD5

Bytes Tx : 309791114 Bytes Rx : 64465688

Client Type : WinNT Client Ver : 4.8.00.0440

Group Policy : DfltGrpPolicy

Tunnel Group : TESTVPN

Login Time : 22:30:04 EST Mon Feb 2 2009

Duration : 3d 21h:11m:01s

Filter Name :

Tested with another user, same result. Group policy taking is :DfltGrpPolicy

Thank you

MS

Ivan Martinon Mon, 02/09/2009 - 08:05

Odd, try to get the next debugs:

debug crypto isa 20

debug vpn-sessiondb 20

When the client is connecting

mvsheik123 Tue, 02/10/2009 - 08:37

Hi Ivan,

Last night I upgraded IOS on ASA from

7.1(1)-->7.2(4), as the hardware experienced crash with some bug in IOS, and now the clients getting the configured 'TEST' group. Thank you for your time in this. Now my question is, as-

group-policy DfltGrpPolicy attributes

cannot be removed- is it ok to remove the 'webvpn' part of the 'DfltGrpPolicy '. 'webvpn' is not enabled anyway. I remember taking this out before but whne unit rebooted, I think it came back.Wanted to get clarification whether it can be removed permanantly or not.

!

group-policy DfltGrpPolicy attributes

banner none

wins-server none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application

sso-server none

deny-message value Login was.....

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

!

TIA

MS

Ivan Martinon Tue, 02/10/2009 - 08:40

As far as I know, pretty much anything under the DfltGrpPolicy can't be removed, it can be left as default or disabled.

Actions

This Discussion