Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

timeout conn 1:00:00

I see the following command on my ASA

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Does this apply to VPN users also?

the reason I ask is that some vpn users

are getting dropped after a few minutes

and we dont know why

I see no IDLE timout out in the config

asdm is currently unavailable


Re: timeout conn 1:00:00

No, those timeouts don't apply to VPN users. I'd recommend enabling logging on the client software for one or more of the users who are having the problem since the client log tends to be more informative than the corresponding logs in the ASA, and they only apply to that client so you don't have to wade through a bunch of messages that aren't pertinent. Set all the levels to 3, the highest setting, and have the user save the log messages to a file and send them to you when they see the problem. I suspect you'll see messages akin to "remote peer not responding", which points to some sort of connectivity problem between them and the ASA. Otherwise, these users could also be seeing an issue with the forced keepalives. The first question in this article at Cisco's web site talks about this and tells how to turn them off by editing the client .pcf file:

Community Member

Re: timeout conn 1:00:00

great!..will do

CreatePlease to create content