Re: Idle Time Out

dianewalker · ‎12-01-2011

The Cisco VPN client is disconnected after 4 hours of inactivity. Is there a setting on the ASA that would timeout after 4 hours? I want to disable this setting. I am running IOS 8.2(4).

Thanks.

Diane

Patrick0711 · ‎12-01-2011

The Cisco ASA firewalls have a default 30 minute vpn-idle-timeout value configured in the default group policy.

Other than that, the Phase1 and Phase 2 security associations will be deleted after the configured SA lifetime value expires.

I'm curious to know why you'd like the tunnel to remain active even if traffic is not traversing it. As soon as traffic is generated, the IKE negotiation will begin and the tunnel will be established.

The only way to prevent the tunnel from tearing itself down after the lifetime value is reached would be to periodically send traffic across it to force it to rekey as opposed to deleting the SA and remain down until further interesting traffic brings it back up. Static session-keys are (thankfully) no longer supported in ASA 7.x+ code versions

dianewalker · ‎12-01-2011

The users are running the batch job on the Mainframe. They do not want the idle-timeout.

Is there a way to find out why the Cisco VPN client was disconnected? Thanks.

Diane

Patrick0711 · ‎12-02-2011

Sure, if you had VPN class logging enabled then it should be pretty easy to determine by looking at the logs. If not, you should consider enabling the VPN specific logging class.

If you want to globally disable the idle-timeout then you need to enter the following command under the default group policy:

vpn-idle-timeout none

Unless another group policy already had a vpn-idle-timeout set, this value will be inherited by all tunnel groups.