Can we time out the vpn session on 1710 Router?

harryjeng · ‎10-30-2002

We setup the 1710 access router for user to use Cisco VPN client 3.6.2 to dial-in. We found out that user can disconnect themselves after they finish what they need to do. But what if the user just log out of the server but forget to disconnect the vpn connection?

Can we setup a idle time out?

Can we terminate the unwanted user?

gfullage · ‎10-30-2002

The router and the client support DPD (Dead Peer Detection), which is basically a keepalive packet sent out at regular intervals (that can't be changed), and if the router detects that the client is not there it'll remove the tunnel.

You can terminate a particular tunnel if you know which one it is specifically, by using the command:

> clear crypto sa peer

command detailed here (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_r/srprt4/srdipsec.htm#1017392). There's other options as you'll see to define which tunnel you want to clear.

Unfortunately there's no way to map a tunnel to a username or anything like that, so it may be difficult to figure out who is who. If you only have the one user though, then just clear them all with "clear cry sa" and "clear cry isa".

harryjeng · ‎11-09-2002

Thank you, but I try to use cisco vpn client 3.6.2 to connect to 1710, after connect, I do nothing, but the connection will not time out after 12 hours, is there a command I can configure or how to make sure DPD will working properly?

About this "clear crypto sa peer , I acturally try it out already when I try to disconnect one user, what happened was:

After I "clear crypto sa peer , it looks like the sa got clear but from the client side I still see the connection, and if I do something, the 1710 can see the sa again. I thought it should be able to terminate any user we want but it didn't look like so so far.

Thanks

Harry