User of VPN Client prompted for authentication after 48mins

Unanswered Question
Mar 22nd, 2010

Hello,

I have setup VPN access on a 2801 (IOS 12.4.24T2) and use VPN client 5.00.06.160.

The remote access works great except that the users are prompted to re-enter credential every 48 mins.

I discovered that it is linked to the life time of the isakmp sa and that 48 mins (2880 secs) seems to be a kind of pre-end of life for the sa.

We are using radius to authenticate users.

I could extend the life of the isakmp to a high value but I would prefer that the rekey does not prompt my users to re-authenticate.

Can this be done ?

Any help will be greatly appreciated.

Didier

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darkfact Mon, 03/22/2010 - 15:50

I believe what you can do is set the isakmp lifetime for something like 86400 (1 day) and then specify an idle timeout and/or session timeout within the ipsec vpn paramaters depending on how long you want their sessions to stay active.  (ASA firewall has vpn-idle-timeout and vpn-session-timeout commands, IOS is slightly different.)  Cisco has a good doc for troubleshooting that has some of the commands listed.  Hope that helps.

http://www.cisco.com/en/US/customer/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution13

didier.moreau Tue, 03/23/2010 - 06:23

Hello,

Unfortunately, I need the connections to be up more than 24 hours. Changing the life time to the maximum (24h) would just limit the number of user complains.

In fact, if I could find a way to have isakmp rekey done without requiring the user to re-authenticate, that would be the ideal. Could it be one of the radius attributes ?

Actions

This Discussion