Hi Ivan,

Thanks for the reply. So if the below config is existing for RA vpn config, even after 24hrs idle connection (no traffic passing) the session remains 'connected' as "vpn-session-timeout" set to none?

vpn-session-timeout value takes priority over idle-timeout value?

group-policy TEST attributes

vpn-idle-timeout 1440

vpn-session-timeout none

TIA

MS

No, whatever is reached first will be kicking in, so for instance in your setup after 1 day of not passing traffic the IDLE timeout will kick in, since session timeout is not configured then idle should kick in.

Thanks again Ivan. I am testing this infact, I see the user has been on over 3days...

*****************************

group-policy TEST attributes

vpn-idle-timeout 1440

vpn-session-timeout none

Username : Test123

Index : 7

Assigned IP : 192.168.1.60 Public IP : 68.23.41.27

Protocol : IPSecOverNatT

Bytes Tx : 300620590 Bytes Rx : 61534790

Client Type : WinNT Client Ver : 4.8.00.0440

Group Policy : DfltGrpPolicy

Tunnel Group : TEST

Login Time : 22:30:04 EST Mon Feb 2 2009

Duration : 3d 17h:19m:18s

Filter Name :

**************************

This means users has been passing the traffic before the 24hrs window elapsed and that keeping the session up over 3days...?

TIA

MS

yep, to be honest with you, it is rather strange when a client even when idle stops passing traffic, windows workstation typically send traffic over and over, even when idle.

Great. Thank you.. Last question.. I configrued a seperate group policy (than DfltGrpPolicy) and applied it under tunnel-group. But still the client taking the DfltGrpPolicy (dns options & Split-tunnel N/W were taking from configured group). Client takes the first one in the list..? if so, can I remove the Default group one..?

Please see below.. ASA Ver 7.1 (1)

************************

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 1440

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

!

group-policy TEST internal

group-policy TEST attributes

dns-server value 192.168.10.16

192.168.29.17

vpn-idle-timeout 1440

vpn-session-timeout none

split-tunnel-policy tunnelspecified

split-tunnel-network-list value

SPLIT_TUNNEL

backup-servers keep-client-config

!

tunnel-group TESTVPN type ipsec-ra

tunnel-group TESTVPN general-attributes

address-pool TESTPOOL

authentication-server-group (outside)

sdi

default-group-policy TEST

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *

************************************

TIA

MS

The default group-policy cannot be removed, and the client should get the one that is assinged to the tunnel-group, go ahead and get the "show vpn-sessiondb detail remote" when the user is connected, you should see there what group policy is taken. One thing to notice is that when there are not defined attributes on the specific group-policy, say the TEST one, then it will inherit the values from the default one.

Thank you. The same o/p already posted in the above threads.. or please see below..

Username : TEST123

Index : 7

Assigned IP : 192.168.1.60 Public IP : 67.23.41.27

Protocol : IPSecOverNatT Encryption : AES128

Hashing : MD5

Bytes Tx : 309791114 Bytes Rx : 64465688

Client Type : WinNT Client Ver : 4.8.00.0440

Group Policy : DfltGrpPolicy

Tunnel Group : TESTVPN

Login Time : 22:30:04 EST Mon Feb 2 2009

Duration : 3d 21h:11m:01s

Filter Name :

Tested with another user, same result. Group policy taking is :DfltGrpPolicy

Thank you

MS

Odd, try to get the next debugs:

debug crypto isa 20

debug vpn-sessiondb 20

When the client is connecting

Will do .

Thank you very much for all your time.

MS

Hi Ivan,

Last night I upgraded IOS on ASA from

7.1(1)-->7.2(4), as the hardware experienced crash with some bug in IOS, and now the clients getting the configured 'TEST' group. Thank you for your time in this. Now my question is, as-

group-policy DfltGrpPolicy attributes

cannot be removed- is it ok to remove the 'webvpn' part of the 'DfltGrpPolicy '. 'webvpn' is not enabled anyway. I remember taking this out before but whne unit rebooted, I think it came back.Wanted to get clarification whether it can be removed permanantly or not.

!

group-policy DfltGrpPolicy attributes

banner none

wins-server none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application

sso-server none

deny-message value Login was.....

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

!

TIA

MS

As far as I know, pretty much anything under the DfltGrpPolicy can't be removed, it can be left as default or disabled.