Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1323
Views
0
Helpful
5
Replies

Telnet timeouts

thomas.green
Level 1
Level 1

‎11-14-2009 06:00 PM

We have an new ASA 5510 configured for IPSEC remote VPN connections. Everything is working well except that telnet sessions to a business system at headquarters timeout while idle. It appears that they time out after about 2 hours. Our idle timeout is set to 4 hours in the group policy for IPSEC users. I don't see any other idle timeout setting that could possibly apply to this issue. Anyone have any ideas on what could be causing this?

Labels:
0 Helpful
5 Replies 5

Herbert Baerten
Cisco Employee
Cisco Employee

‎11-15-2009 02:49 AM

The idle timeout configured in the group-policy is for the tunnel as a whole, i.e. it will bring down the tunnel if there is no traffic for that amount of time.

If I understand your description correctly, the problem is not that the VPN tunnel goes down, nut just a single TCP connection times out.

ASA will normally time out TCP connection after 1 hour, so 2 hours seems strange (unless you meant that the user works for 1 hour and then is idle for 1 hour - or unless you configured the TCP timeout to be 2hrs).

Can you do a telnet and then check "show conn long | inc x.x.x.x" where x.x.x.x is either your client (tunnel) address or the server address.

And/or

Check the syslogs, there should be a message giving a reason for the connection teardown (not at the time when the user tries to re-active the session, but somewhere before).

hth

Herbert

0 Helpful

thomas.green
Level 1
Level 1
In response to Herbert Baerten

‎11-16-2009 05:55 AM

Herbert,

The TCP timeout is set to 2 hours and you are correct, the tunnel stays up but the telnet session is unresponsive after it has been idle for the 2 hours. I will look at the logs the next time this occurs. Anyone else?

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to thomas.green

‎11-16-2009 06:03 AM

Well, if the TCP timeout is set to 2 hours, then that means that the ASA will time out a TCP connection that is idle for 2 hours, so this is normal behavior.

Check this for a solution:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml

hth

Herbert

0 Helpful

thomas.green
Level 1
Level 1
In response to Herbert Baerten

‎11-16-2009 06:16 AM

Herbert,

In your suggested solution in the intro, it states that "This feature is not applicable in an IPsec VPN environment."

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to thomas.green

‎11-16-2009 07:31 AM

Sorry, I hadn't looked into the doc in detail. I think it says this because in the example, a separate policy named "telnet" is created and this is applied to the outside interface. This will indeed not work for traffic entering over a VPN tunnel.

For tunneled traffic, the global policy should be used, so something like this:

access-list telnet extended permit tcp any any eq telnet

class-map telnet

description telnet

match access-list telnet

policy-map global_policy

class telnet

set connection timeout tcp 10:00:00 reset

service-policy global_policy global

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents