Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Idle Time Out

The Cisco VPN client is disconnected after 4 hours of inactivity.  Is there a setting on the ASA that would timeout after 4 hours?  I want to disable this setting.  I am running IOS 8.2(4).




Re: Idle Time Out

The Cisco ASA firewalls have a default 30 minute vpn-idle-timeout value configured in the default group policy. 

Other than that, the Phase1 and Phase 2 security associations will be deleted after the configured SA lifetime value expires.

I'm curious to know why you'd like the tunnel to remain active even if traffic is not traversing it.  As soon as traffic is generated, the IKE negotiation will begin and the tunnel will be established. 

The only way to prevent the tunnel from tearing itself down after the lifetime value is reached would be to periodically send traffic across it to force it to rekey as opposed to deleting the SA and remain down until further interesting traffic brings it back up.  Static session-keys are (thankfully) no longer supported in ASA 7.x+ code versions

New Member

Re: Idle Time Out

The users are running the batch job on the Mainframe.  They do not want the idle-timeout.

Is there a way to find out why the Cisco VPN client was disconnected?  Thanks.



Re: Idle Time Out

Sure, if you had VPN class logging enabled then it should be pretty easy to determine by looking at the logs.  If not, you should consider enabling the VPN specific logging class.

If you want to globally disable the idle-timeout then you need to enter the following command under the default group policy:

vpn-idle-timeout none

Unless another group policy already had a vpn-idle-timeout set, this value will be inherited by all tunnel groups. 

CreatePlease to create content