Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

User of VPN Client prompted for authentication after 48mins

Unanswered Question
Mar 22nd, 2010
User Badges:


I have setup VPN access on a 2801 (IOS 12.4.24T2) and use VPN client

The remote access works great except that the users are prompted to re-enter credential every 48 mins.

I discovered that it is linked to the life time of the isakmp sa and that 48 mins (2880 secs) seems to be a kind of pre-end of life for the sa.

We are using radius to authenticate users.

I could extend the life of the isakmp to a high value but I would prefer that the rekey does not prompt my users to re-authenticate.

Can this be done ?

Any help will be greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darkfact Mon, 03/22/2010 - 15:50
User Badges:

I believe what you can do is set the isakmp lifetime for something like 86400 (1 day) and then specify an idle timeout and/or session timeout within the ipsec vpn paramaters depending on how long you want their sessions to stay active.  (ASA firewall has vpn-idle-timeout and vpn-session-timeout commands, IOS is slightly different.)  Cisco has a good doc for troubleshooting that has some of the commands listed.  Hope that helps.


didier.moreau Tue, 03/23/2010 - 06:23
User Badges:


Unfortunately, I need the connections to be up more than 24 hours. Changing the life time to the maximum (24h) would just limit the number of user complains.

In fact, if I could find a way to have isakmp rekey done without requiring the user to re-authenticate, that would be the ideal. Could it be one of the radius attributes ?


This Discussion