02-06-2009 07:32 AM
Hi All,
What exactly the difference between vpn-idle-timeout Vs vpn-session-timeout under RA VPN group policy? I went thru the command reference guide, but still confused.
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/uz_711.html#wp1316206
If I have the below config..
group-policy TEST attributes
vpn-idle-timeout 1440
vpn-session-timeout none
Does the remote users VPN session ever disconnects even though there was no traffic acctivity after 24hrs? What takes priority and What are the recomended values..?
TIA
MS
02-06-2009 10:42 AM
VPN Idle timeout is the max time out that the client can have with no activity, idle connection, meaning when not passing any traffic.
VPN Session timeout is the maximum time that this vpn client will be allowed to remain connected, regardless of whether it is passing traffic or not.
02-06-2009 11:29 AM
Hi Ivan,
Thanks for the reply. So if the below config is existing for RA vpn config, even after 24hrs idle connection (no traffic passing) the session remains 'connected' as "vpn-session-timeout" set to none?
vpn-session-timeout value takes priority over idle-timeout value?
group-policy TEST attributes
vpn-idle-timeout 1440
vpn-session-timeout none
TIA
MS
02-06-2009 12:35 PM
No, whatever is reached first will be kicking in, so for instance in your setup after 1 day of not passing traffic the IDLE timeout will kick in, since session timeout is not configured then idle should kick in.
02-06-2009 12:55 PM
Thanks again Ivan. I am testing this infact, I see the user has been on over 3days...
*****************************
group-policy TEST attributes
vpn-idle-timeout 1440
vpn-session-timeout none
Username : Test123
Index : 7
Assigned IP : 192.168.1.60 Public IP : 68.23.41.27
Protocol : IPSecOverNatT
Bytes Tx : 300620590 Bytes Rx : 61534790
Client Type : WinNT Client Ver : 4.8.00.0440
Group Policy : DfltGrpPolicy
Tunnel Group : TEST
Login Time : 22:30:04 EST Mon Feb 2 2009
Duration : 3d 17h:19m:18s
Filter Name :
**************************
This means users has been passing the traffic before the 24hrs window elapsed and that keeping the session up over 3days...?
TIA
MS
02-06-2009 01:44 PM
yep, to be honest with you, it is rather strange when a client even when idle stops passing traffic, windows workstation typically send traffic over and over, even when idle.
02-06-2009 02:14 PM
Great. Thank you.. Last question.. I configrued a seperate group policy (than DfltGrpPolicy) and applied it under tunnel-group. But still the client taking the DfltGrpPolicy (dns options & Split-tunnel N/W were taking from configured group). Client takes the first one in the list..? if so, can I remove the Default group one..?
Please see below.. ASA Ver 7.1 (1)
************************
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 1440
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
!
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.10.16
192.168.29.17
vpn-idle-timeout 1440
vpn-session-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
SPLIT_TUNNEL
backup-servers keep-client-config
!
tunnel-group TESTVPN type ipsec-ra
tunnel-group TESTVPN general-attributes
address-pool TESTPOOL
authentication-server-group (outside)
sdi
default-group-policy TEST
tunnel-group TESTVPN ipsec-attributes
pre-shared-key *
************************************
TIA
MS
02-06-2009 02:26 PM
The default group-policy cannot be removed, and the client should get the one that is assinged to the tunnel-group, go ahead and get the "show vpn-sessiondb detail remote" when the user is connected, you should see there what group policy is taken. One thing to notice is that when there are not defined attributes on the specific group-policy, say the TEST one, then it will inherit the values from the default one.
02-06-2009 04:45 PM
Thank you. The same o/p already posted in the above threads.. or please see below..
Username : TEST123
Index : 7
Assigned IP : 192.168.1.60 Public IP : 67.23.41.27
Protocol : IPSecOverNatT Encryption : AES128
Hashing : MD5
Bytes Tx : 309791114 Bytes Rx : 64465688
Client Type : WinNT Client Ver : 4.8.00.0440
Group Policy : DfltGrpPolicy
Tunnel Group : TESTVPN
Login Time : 22:30:04 EST Mon Feb 2 2009
Duration : 3d 21h:11m:01s
Filter Name :
Tested with another user, same result. Group policy taking is :DfltGrpPolicy
Thank you
MS
02-09-2009 08:05 AM
Odd, try to get the next debugs:
debug crypto isa 20
debug vpn-sessiondb 20
When the client is connecting
02-09-2009 01:09 PM
Will do .
Thank you very much for all your time.
MS
02-10-2009 08:37 AM
Hi Ivan,
Last night I upgraded IOS on ASA from
7.1(1)-->7.2(4), as the hardware experienced crash with some bug in IOS, and now the clients getting the configured 'TEST' group. Thank you for your time in this. Now my question is, as-
group-policy DfltGrpPolicy attributes
cannot be removed- is it ok to remove the 'webvpn' part of the 'DfltGrpPolicy '. 'webvpn' is not enabled anyway. I remember taking this out before but whne unit rebooted, I think it came back.Wanted to get clarification whether it can be removed permanantly or not.
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application
sso-server none
deny-message value Login was.....
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
!
TIA
MS
02-10-2009 08:40 AM
As far as I know, pretty much anything under the DfltGrpPolicy can't be removed, it can be left as default or disabled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide