11-14-2009 06:00 PM
We have an new ASA 5510 configured for IPSEC remote VPN connections. Everything is working well except that telnet sessions to a business system at headquarters timeout while idle. It appears that they time out after about 2 hours. Our idle timeout is set to 4 hours in the group policy for IPSEC users. I don't see any other idle timeout setting that could possibly apply to this issue. Anyone have any ideas on what could be causing this?
11-15-2009 02:49 AM
The idle timeout configured in the group-policy is for the tunnel as a whole, i.e. it will bring down the tunnel if there is no traffic for that amount of time.
If I understand your description correctly, the problem is not that the VPN tunnel goes down, nut just a single TCP connection times out.
ASA will normally time out TCP connection after 1 hour, so 2 hours seems strange (unless you meant that the user works for 1 hour and then is idle for 1 hour - or unless you configured the TCP timeout to be 2hrs).
Can you do a telnet and then check "show conn long | inc x.x.x.x" where x.x.x.x is either your client (tunnel) address or the server address.
And/or
Check the syslogs, there should be a message giving a reason for the connection teardown (not at the time when the user tries to re-active the session, but somewhere before).
hth
Herbert
11-16-2009 05:55 AM
Herbert,
The TCP timeout is set to 2 hours and you are correct, the tunnel stays up but the telnet session is unresponsive after it has been idle for the 2 hours. I will look at the logs the next time this occurs. Anyone else?
11-16-2009 06:03 AM
Well, if the TCP timeout is set to 2 hours, then that means that the ASA will time out a TCP connection that is idle for 2 hours, so this is normal behavior.
Check this for a solution:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml
hth
Herbert
11-16-2009 06:16 AM
Herbert,
In your suggested solution in the intro, it states that "This feature is not applicable in an IPsec VPN environment."
11-16-2009 07:31 AM
Sorry, I hadn't looked into the doc in detail. I think it says this because in the example, a separate policy named "telnet" is created and this is applied to the outside interface. This will indeed not work for traffic entering over a VPN tunnel.
For tunneled traffic, the global policy should be used, so something like this:
access-list telnet extended permit tcp any any eq telnet
class-map telnet
description telnet
match access-list telnet
policy-map global_policy
class telnet
set connection timeout tcp 10:00:00 reset
service-policy global_policy global
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: