We have an new ASA 5510 configured for IPSEC remote VPN connections. Everything is working well except that telnet sessions to a business system at headquarters timeout while idle. It appears that they time out after about 2 hours. Our idle timeout is set to 4 hours in the group policy for IPSEC users. I don't see any other idle timeout setting that could possibly apply to this issue. Anyone have any ideas on what could be causing this?
The idle timeout configured in the group-policy is for the tunnel as a whole, i.e. it will bring down the tunnel if there is no traffic for that amount of time.
If I understand your description correctly, the problem is not that the VPN tunnel goes down, nut just a single TCP connection times out.
ASA will normally time out TCP connection after 1 hour, so 2 hours seems strange (unless you meant that the user works for 1 hour and then is idle for 1 hour - or unless you configured the TCP timeout to be 2hrs).
Can you do a telnet and then check "show conn long | inc x.x.x.x" where x.x.x.x is either your client (tunnel) address or the server address.
Check the syslogs, there should be a message giving a reason for the connection teardown (not at the time when the user tries to re-active the session, but somewhere before).
The TCP timeout is set to 2 hours and you are correct, the tunnel stays up but the telnet session is unresponsive after it has been idle for the 2 hours. I will look at the logs the next time this occurs. Anyone else?
Sorry, I hadn't looked into the doc in detail. I think it says this because in the example, a separate policy named "telnet" is created and this is applied to the outside interface. This will indeed not work for traffic entering over a VPN tunnel.
For tunneled traffic, the global policy should be used, so something like this:
access-list telnet extended permit tcp any any eq telnet
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...