Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2654
Views
0
Helpful
2
Replies

ASA5520 RDP Session Timeout

hrollins
Level 1
Level 1

‎06-05-2012 08:53 AM - edited ‎03-11-2019 04:15 PM

Greetings,

I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it.  I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.

Would someone here be able to give me some idea of what to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time. Whatever feed back provided would be greatly appreciated.

Regards,

Jaime

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-05-2012 08:07 PM

The behaviour on version 8.0.4 is more a bug than a feature. If there is no traffic going through the RDP session, the firewall should really tear down the connection hence the RDP session is disconnected. This is the TCP proxy behaviour where the idle timeout kick in so attacker can't launch an attack using the same session if it is left idle for too long.

If you would need to keep the RDP session up for a long time, I would suggest the following 2 options:

1) Run a probe/continuous ping through the RDP session to keep the RDP up.

2) Configure TCP idle timeout on the ASA specific for only the RDP session to be zero, ie: no idle timeout, that would keep the RDP session up, but bare in mind that that is keeping the resource/connection up on the ASA even though it is not being used. Depending on how many RDP session you have, and how busy your ASA is, the longer the session is kept even though it is not being used, the more resources it is used on the ASA.

0 Helpful

hrollins
Level 1
Level 1
In response to Jennifer Halim

‎06-06-2012 06:06 AM

Jennifer,

Thanks for the response. I suspected that the 8.0.4 non timeout behavior was more of a bug than a feature since the 8.0.3 boxes were timeout due to the default tcp connection timeout setting.

Thanks for the reply.

Jaime

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card