Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Telnet timeouts

We have an new ASA 5510 configured for IPSEC remote VPN connections. Everything is working well except that telnet sessions to a business system at headquarters timeout while idle. It appears that they time out after about 2 hours. Our idle timeout is set to 4 hours in the group policy for IPSEC users. I don't see any other idle timeout setting that could possibly apply to this issue. Anyone have any ideas on what could be causing this?

5 REPLIES
Cisco Employee

Re: Telnet timeouts

The idle timeout configured in the group-policy is for the tunnel as a whole, i.e. it will bring down the tunnel if there is no traffic for that amount of time.

If I understand your description correctly, the problem is not that the VPN tunnel goes down, nut just a single TCP connection times out.

ASA will normally time out TCP connection after 1 hour, so 2 hours seems strange (unless you meant that the user works for 1 hour and then is idle for 1 hour - or unless you configured the TCP timeout to be 2hrs).

Can you do a telnet and then check "show conn long | inc x.x.x.x" where x.x.x.x is either your client (tunnel) address or the server address.

And/or

Check the syslogs, there should be a message giving a reason for the connection teardown (not at the time when the user tries to re-active the session, but somewhere before).

hth

Herbert

New Member

Re: Telnet timeouts

Herbert,

The TCP timeout is set to 2 hours and you are correct, the tunnel stays up but the telnet session is unresponsive after it has been idle for the 2 hours. I will look at the logs the next time this occurs. Anyone else?

Cisco Employee

Re: Telnet timeouts

Well, if the TCP timeout is set to 2 hours, then that means that the ASA will time out a TCP connection that is idle for 2 hours, so this is normal behavior.

Check this for a solution:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080624e19.shtml

hth

Herbert

New Member

Re: Telnet timeouts

Herbert,

In your suggested solution in the intro, it states that "This feature is not applicable in an IPsec VPN environment."

Cisco Employee

Re: Telnet timeouts

Sorry, I hadn't looked into the doc in detail. I think it says this because in the example, a separate policy named "telnet" is created and this is applied to the outside interface. This will indeed not work for traffic entering over a VPN tunnel.

For tunneled traffic, the global policy should be used, so something like this:

access-list telnet extended permit tcp any any eq telnet

class-map telnet

description telnet

match access-list telnet

policy-map global_policy

class telnet

set connection timeout tcp 10:00:00 reset

service-policy global_policy global

746
Views
0
Helpful
5
Replies