When the vpn-idle-time arrive 0, but the session not disconnecting

shservice · ‎09-29-2016

HI

I have a ASA use the anyconnect to do SSLVPN

AnyConnect-Parent Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 1851.1
Public IP : 218.1.37.214
Encryption : none Hashing : none
TCP Src Port : 58885 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : win
Client OS Ver: 6.1.7601 Service Pack 1
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.2.05015
Bytes Tx : 6631 Bytes Rx : 0
Pkts Tx : 5 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

group-policy vpn-ct-policy internal
group-policy vpn-ct-policy attributes
wins-server none
dns-server value 202.120.80.2 202.120.81.2
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain value vpn-ct.ecnu.edu.cn
address-pools value vpn-ct
webvpn
anyconnect ssl keepalive 150

we can see the idle time is 0 minutes but it not discconect

how can me resolve it ?thks

Aditya Ganjoo · ‎09-30-2016

Hi,

Can you share the output of show vpn-sessiondb detail anyconnect from the ASA ?

IDLE timeout is used to disconnect the SSL VPN tunnel.

However, remember that it is not only the SSL-Tunnel that must idle out, but the DTLS tunnel as well. Unless the DTLS session times out, the SSL-Tunnel is retained in the database.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

shservice · ‎10-04-2016

HI, Aditya

I'm so sorry to reply late

this is my logging

Session Type: AnyConnect Detailed

Username : 10130340102 Index : 1851
Assigned IP : 49.52.14.227 Public IP : 218.1.37.214
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 191925224 Bytes Rx : 12691767
Pkts Tx : 177599 Pkts Rx : 115411
Pkts Tx Drop : 6645 Pkts Rx Drop : 0
Group Policy : vpn-ct-policy Tunnel Group : vpn-ct
Login Time : 01:55:21 UTC Thu Sep 29 2016
Duration : 5d 3h:04m:25s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ca7858a10073b00057ec7489
Security Grp : none

AnyConnect-Parent Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 1851.1
Public IP : 218.1.37.214
<--- More --->

Cisco-VPN/vpn-ct# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : 10130340102 Index : 1851
Assigned IP : 49.52.14.227 Public IP : 218.1.37.214
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 191925224 Bytes Rx : 12691767
Pkts Tx : 177599 Pkts Rx : 115411
Pkts Tx Drop : 6645 Pkts Rx Drop : 0
Group Policy : vpn-ct-policy Tunnel Group : vpn-ct
Login Time : 01:55:21 UTC Thu Sep 29 2016
Duration : 5d 3h:04m:27s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ca7858a10073b00057ec7489
Security Grp : none

AnyConnect-Parent Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 1851.1
Public IP : 218.1.37.214
<--- More --->

Encryption : none Hashing : none
TCP Src Port : 58885 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : win
Client OS Ver: 6.1.7601 Service Pack 1
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.2.05015
Bytes Tx : 6631 Bytes Rx : 0
Pkts Tx : 5 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

Username : 52130601018 Index : 1866
Assigned IP : 49.52.14.236 Public IP : 180.160.53.58
Protocol : AnyConnect-Parent
License : AnyConnect Premium, AnyConnect for Mobile
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 18190267 Bytes Rx : 2572946
Pkts Tx : 26185 Pkts Rx : 23314
Pkts Tx Drop : 562 Pkts Rx Drop : 0
Group Policy : vpn-ct-policy Tunnel Group : vpn-ct
Login Time : 03:52:27 UTC Thu Sep 29 2016
Duration : 5d 1h:07m:21s
<--- More --->

Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ca7858a10074a00057ec8ffb
Security Grp : none

AnyConnect-Parent Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 1866.1
Public IP : 180.160.53.58
Encryption : none Hashing : none
TCP Src Port : 43028 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : android
Client OS Ver: 4.4.2
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Android 4.0.05015
Bytes Tx : 1575 Bytes Rx : 0
Pkts Tx : 2 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

Username : 51143400039 Index : 1867
Assigned IP : 49.52.14.232 Public IP : 180.160.71.194
<--- More --->

Protocol : AnyConnect-Parent
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 34910677 Bytes Rx : 9143830
Pkts Tx : 44151 Pkts Rx : 33324
Pkts Tx Drop : 1258 Pkts Rx Drop : 0
Group Policy : vpn-ct-policy Tunnel Group : vpn-ct
Login Time : 04:09:18 UTC Thu Sep 29 2016
Duration : 5d 0h:50m:30s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ca7858a10074b00057ec93ee
Security Grp : none

AnyConnect-Parent Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 1867.1
Public IP : 180.160.71.194
Encryption : none Hashing : none
TCP Src Port : 61296 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
<--- More --->

Client OS : win
Client OS Ver: 10.0.14393
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.2.05015
Bytes Tx : 6631 Bytes Rx : 0
Pkts Tx : 5 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

Username : 10132150124 Index : 1876
Assigned IP : 49.52.14.240 Public IP : 117.136.8.78
Protocol : AnyConnect-Parent
License : AnyConnect Premium, AnyConnect for Mobile
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 490449 Bytes Rx : 69763
Pkts Tx : 542 Pkts Rx : 798
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : vpn-ct-policy Tunnel Group : vpn-ct
Login Time : 06:17:36 UTC Thu Sep 29 2016
Duration : 4d 22h:42m:12s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ca7858a10075400057ecb200
Security Grp : none
<--- More --->
AnyConnect-Parent Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 1876.1
Public IP : 117.136.8.78
Encryption : none Hashing : none
TCP Src Port : 18996 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : apple-ios
Client OS Ver: 9.3.4
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Apple iPhone 4.0.05052
Bytes Tx : 1575 Bytes Rx : 0
Pkts Tx : 2 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

Username : 10140330122 Index : 1885
Assigned IP : 49.52.14.235 Public IP : 180.160.47.55
Protocol : AnyConnect-Parent
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
<--- More --->

you can see my vpn seesion , when the idle time = 0 , but the session not disconnect

thanks

Aditya Ganjoo · ‎10-04-2016

Hi,

Can you confirm if you see any increments in the RX/TX counters on the session ?

Also confirm what is the ASA version being used ?

The idle timeout is not related to the inactivity time. The inactivity timer is used for displaying the session information of a disconnected user (disconnected due to network loss). When the user connection is interrupted and ASA does not see any DPDs the "SSL-Tunnel" to client is cleared and inactivity timer is triggered.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

shservice · ‎10-05-2016

HI

I'm confirm the client already haven't the packet for rx/tx, because of this client is my use process delete in the windows,then windows restart and shutdown anyconnect,but the asa not clear the seeson.

My ASA version is 9.5(2)

and this ASA have four context , two virtual context session is auto disconnect, and others is not ok

the error ASA is diffent of others,only client is through nat device to the ASA

top is

client ---- nat device --- ASA