cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
419
Views
0
Helpful
2
Replies

User of VPN Client prompted for authentication after 48mins

didier.moreau
Level 1
Level 1

Hello,

I have setup VPN access on a 2801 (IOS 12.4.24T2) and use VPN client 5.00.06.160.

The remote access works great except that the users are prompted to re-enter credential every 48 mins.

I discovered that it is linked to the life time of the isakmp sa and that 48 mins (2880 secs) seems to be a kind of pre-end of life for the sa.

We are using radius to authenticate users.

I could extend the life of the isakmp to a high value but I would prefer that the rekey does not prompt my users to re-authenticate.

Can this be done ?

Any help will be greatly appreciated.

Didier

2 Replies 2

darkfact
Level 1
Level 1

I believe what you can do is set the isakmp lifetime for something like 86400 (1 day) and then specify an idle timeout and/or session timeout within the ipsec vpn paramaters depending on how long you want their sessions to stay active.  (ASA firewall has vpn-idle-timeout and vpn-session-timeout commands, IOS is slightly different.)  Cisco has a good doc for troubleshooting that has some of the commands listed.  Hope that helps.

http://www.cisco.com/en/US/customer/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution13

Hello,

Unfortunately, I need the connections to be up more than 24 hours. Changing the life time to the maximum (24h) would just limit the number of user complains.

In fact, if I could find a way to have isakmp rekey done without requiring the user to re-authenticate, that would be the ideal. Could it be one of the radius attributes ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: