Sorry if this has already been addressed in another thread. I looked and didn't find anything so I am posting here.
We are currently using the anyconnect client on our ASA5520's. The only issue I am having right now is the timeout doesn't
seem to be working correctly. I have the current group policy Idle Timeout set to 30 minutes and the clients never get disconnected
unless you manually disconnect them.
At first I thought that keepalives or DPD was some how affecting this. But after testing they don't appear to be. It appears
that the idle timeout just doesn't work. Anyone have any ideas of what I am missing? Or does the idle timeout function just not work?
I look at the idle timeout as a legacy feature due to the fact that modern operating systems are inherently chatty. If you run a sniffer on the AnyConnect VA and then leave the PC for a few minutes, you will capture all sorts of packets to and from the client, even though you are not actively working on the PC. If your intent is to manage user sessions, you could set a max session time. Once the max session time limit is reached, the user will be disconnected from the system. The users will then need to reconnect if they require continued network access. Dead Peer Detection is mechanism used by the headend or the client in order to quickly detect a condition where the peer is not responding and the connection has failed. For example, in a perfect world all AnyConnect users will right click on the tray icon and click disconnect in order to gracefully disconnect the session. In reality, users may lose their connection to the Internet, power down their PC while connected, etc. Without DPD, the headend device will maintain the now stale session information in the event that the SSL client tries to reconnect. This will require manual intervention by an administrator in order to manually log off the sessions. With DPD, the headed can recognize the loss of conectivity to the client and terminate the session information. DPD is a hello and ACK process between client and server. If a series of hello messages are not ACK'd, the related session information is cleared from the client or server. This is maintained by SSL and is unrelated to the network traffic related idle timeout.
Below are a few links for your reference. Please let me know if I can be of any further assistance.