Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AnyConnect Session Timeout Question

We have some remote users that are not happy with the SSL Any Connect connection going down after they close their laptops or lose their wireless connection for a time. I read this question and answer from a Cisco page and was wondering where the session timeout setting is changed. Is it on the client nic, AnyConnect software or the ASA firewall?

Thanks, Pat.        

Q. What is the AnyConnect reconnect behavior?

A. AnyConnect will attempt to reconnect if the connection is disrupted. This behavior is automatic and not configurable. As long as the session on the ASA is still valid, the session will be resumed if AnyConnect can re-establish the physical connection.

Version 2.2 includes a roaming feature that allows AnyConnect to reconnect after a PC sleep. The client will continue trying indefinitely until the head-end tells it that it cannot reconnect and the client will not immediately tear down the tunnel when the system goes in to hibernate/standby. For customers who do not want this feature, set the session timeout to a low value to prevent sleep or resume reconnects.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: AnyConnect Session Timeout Question

And also, for the new changes in the AnyConnect profile to take effect, you would need to reconnect your AnyConnect session so the new policy is pushed to the client.

16 REPLIES
Cisco Employee

AnyConnect Session Timeout Question

The session timeout is to be configured on the ASA firewall. That setting is being pushed when the AnyConnect client connects as part of the policy received from the ASA firewall.

Here is the configuration:

vpn-session-timeout

to be configured under the respective group-policy.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1631430

New Member

AnyConnect Session Timeout Question

Jennifer, thank you for the response.

What if a remote user lost their connection to the Internet and when they reconnected they got a new address, if we increased the  vpn-session-timeout to, say 180 minutes, would they still be able to re-connect automatically during the 180 minute time frame?

What if, during the 180 minute time frame, they connected to a different wifi network?

Thanks, Pat.

Cisco Employee

AnyConnect Session Timeout Question

The answer to both your questions is YES, they will be able to re-connect automatically as long as the session within the ASA is still valid.

Here is the document to confirm the behaviour:

https://supportforums.cisco.com/docs/DOC-1361#Q_VPN_session_failover_SSL_is_possible_with_dual_Internet_Service_Providers_ISPs_without_breaking_the_session_For_example_if_a_customer_is_communicating_through_SSL_VPN_through_ISP_1_if_ISP_1_goes_down_wi...

In the above document, dual ISP basically means different IP Addresses which is what you were asking, ie:

1/ received new ip address

2/ different wife - means different ip address

New Member

AnyConnect Session Timeout Question

Jennifer,

correct me if I am wrong but, although the vpn-session-timeout needs to be set to a reasonable amout of time to provide a practicle session length, shouldn't I be more concerned with vpn-idle-timeout setting? This setting seems to address the limitation that remote users have been having when closing their laptops, losing wireless connectivity, or going to a different wireless network.

Thanks, Pat

Step 7

Configure the user timeout period by entering the

vpn-idle-timeout

command in group-policy configuration mode or in username configuration mode:

hostname(config-group-policy)# vpn-idle-timeout {minutes | none}


The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes. If there is no communication activity on the connection in this period, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. The none keyword also permits an unlimited idle timeout period. It sets the idle timeout to a null value, thereby disallowing an idle timeout.

The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-idle-timeout 15


Step 8 Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command in group-policy configuration mode or in username configuration mode.

hostname(config-group-policy)# vpn-session-timeout {minutes | none}


The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value. At the end of this period of time, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. Specifying the none keyword permits an unlimited session timeout period and sets session timeout with a null value, which disallows a session timeout.

The following example shows how to set a VPN session timeout of 180 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-session-timeout 180


Cisco Employee

AnyConnect Session Timeout Question

The VPN Idle timeout, by default is 30 minutes, and if users are just roaming to other wireless hotspot, and/or receiving a new IP Address, then typically it would just take a couple of minutes maximum, so the default idle timeout will be more than enough time and will not terminate the session.

New Member

Re: AnyConnect Session Timeout Question

Thanks Jennifer,

What I want to stop is the need for the user to have to go through the connection and reauthentication process. At present, when I am testing the SSL VPN from my laptop and I close the lid or disable my nic and re-enable, I must reauthentic. This is the process I would like to automate. I would like users to be able to close the laptop or lose connection temporarily and still retain their session.

I'm a little confused of what setting will fix this.

The vpn-session-timeout seems to be an absolute: meaning, when the configured time has elapsed, the connection will end and the user will have to re-connect. Is this correct?

The vpn-idle-timeout seems to be associated with the user losing network connection but retaining their session and be able to re-connect automatically or seamlessly. Is this correct?

If the above statements are correct, and the default vpn-idle-timeout is set to default (30 minutes), I shouldn't be losing connection when I close my laptop for a couople of minutes. Is this correct?

Thanks, Pat.

Cisco Employee

Re: AnyConnect Session Timeout Question

What version of ASA are you currently running and also what version of AnyConnect are you using?

New Member

Re: AnyConnect Session Timeout Question

ASA version is: 8.3.1

AnyConnect version is: 3.0.5080-k9 and same version for MAC and Linux

Thanks, Pat

New Member

Re: AnyConnect Session Timeout Question

Also, we changed the ASA setting Maximum connect and idle timeout to unlimited and ssl vpn client always on VPN, but when I close my laptop I get the message:

"The VPN connection has been disconnect due to system suspending. The reconnect capability is disabled. A new connection is necessary, which requires re-authentication. Is this a client side setting that this message is referring to and where do I change it?

Cisco Employee

Re: AnyConnect Session Timeout Question

There are 2 auto reconnect types without authentication:

1) Changes of physical interface whether changing ISP ip address, or roaming from wifi to wired or vice versa, or roaming to other wifi network - AnyConnect session by default will resume without any authentication.

2) From system suspect - by default AnyConnect will re-authenticate, unless you have the following configured under your AnyConnect profile:

Auto Reconnect --> Reconnect After Resume: if both settings are enabled.

Here is the doc for your reference:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1113790

Cisco Employee

Re: AnyConnect Session Timeout Question

And also, for the new changes in the AnyConnect profile to take effect, you would need to reconnect your AnyConnect session so the new policy is pushed to the client.

New Member

Re: AnyConnect Session Timeout Question

I think when I was testing the ASA changes weren't pushed to the cient yet or I hadn't restarted the AnyConnect on the laptop. Regardless, it seems to be working now. I was connected via the DSL, unplugged my connection for a minute, reconnected the DSL and automatically connected.

Thanks

Cisco Employee

Re: AnyConnect Session Timeout Question

Thanks for the update. Great to hear it's working now.

New Member

Re: AnyConnect Session Timeout Question

Jennifer,

Referring to your post with the 2 options:

With option 2, did you me that  "by default AnyConnect will re-authenticate, unless you don't have the following configured under your AnyConnect profile:"

Unless the setting is counter-intuitive, I would think it would be the opposite of what you said.

Thanks, Pat

Cisco Employee

Re: AnyConnect Session Timeout Question

Man, i can't even type correctly that day

it should read:

2) From system suspend- by default AnyConnect will re-authenticate,  unless you have the following configured under your AnyConnect profile:

Auto Reconnect --> Reconnect After Resume: if both settings are enabled.

---> if you don't have the "Auto Reconnect" and "Reconnect After Resume" enabled, the AnyConnect will re-authenticate. With those 2 features enable, it will resume automatically without having to re-authenticate.

I guess my statement was correct (apart from the typo)

New Member

Sir;

Sir;

when the appliance desconect you for the 30 minutos inactivity , how much you have to wait to reconect again. ?? there is a value or config to config that ..

regards !!

65918
Views
40
Helpful
16
Replies
CreatePlease to create content