Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

unlimited idle timeout, but idle timeout session is 30 minutes

Hi all,

I am connecting with Anyconnect client to a ASA5510(8.2.1(11))

In the group policy I have idle timeout = unlimited, but if I control the session in asdm and in command line

I find idle timeout=30 minutes.

If I insert idle timeout = 60 in the policy, in the session I see Idle timeout =60 min.

Is there only a problem in the visualization of the session?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: unlimited idle timeout, but idle timeout session is 30 minut

Setting the "vpn-idle-timeout none" command from the group-policy is a misunderstood command. When it is set in the group-policy it does not disable the idle-timeout. In the past I filed a bug to clarify what this setting does (see CSCsm15079) to clarify the misunderstanding. In newer versions of code with the bug fix, the command sensitive help now properly explains it:

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:

<1-35791394>  Number of minutes

none          IPsec VPN: Disable timeout and allow an unlimited idle period;

SSL VPN: Use value of default-idle-timeout

When it is set to none, and you are using SSL VPN, it means it will inherit the default-idle-timeout that is set under the Webvpn config. The default for this command is 30 minutes, so thats probably why ASDM is displaying 30 minutes. If you would like to adjust this value, it can be changed with:

conf t

webvpn

     default-idle-timeout


If you would like an "unlimited" idle time, you should set the vpn-idle-timeout in the group-policy to a specific number instead of "none" -- the maximum you can set with  the vpn-idle-timeout command is 35791394 minutes (something like ~24000  days or essentially unlimited).

Please rate this post and mark it as resolved if it has addressed the issue.

3 REPLIES
Cisco Employee

Re: unlimited idle timeout, but idle timeout session is 30 minut

Setting the "vpn-idle-timeout none" command from the group-policy is a misunderstood command. When it is set in the group-policy it does not disable the idle-timeout. In the past I filed a bug to clarify what this setting does (see CSCsm15079) to clarify the misunderstanding. In newer versions of code with the bug fix, the command sensitive help now properly explains it:

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:

<1-35791394>  Number of minutes

none          IPsec VPN: Disable timeout and allow an unlimited idle period;

SSL VPN: Use value of default-idle-timeout

When it is set to none, and you are using SSL VPN, it means it will inherit the default-idle-timeout that is set under the Webvpn config. The default for this command is 30 minutes, so thats probably why ASDM is displaying 30 minutes. If you would like to adjust this value, it can be changed with:

conf t

webvpn

     default-idle-timeout


If you would like an "unlimited" idle time, you should set the vpn-idle-timeout in the group-policy to a specific number instead of "none" -- the maximum you can set with  the vpn-idle-timeout command is 35791394 minutes (something like ~24000  days or essentially unlimited).

Please rate this post and mark it as resolved if it has addressed the issue.

Community Member

Re: unlimited idle timeout, but idle timeout session is 30 minut

Thank you for your explanation.

The bug is not really solved, even if in the schedule of the bug toolkit I find it is fixed in version 8.2(1), I am using 8.2(1)11.

It is solved for ipsec, not for ssl vpn.

Cisco Employee

Re: unlimited idle timeout, but idle timeout session is 30 minut

The bug is for clarification only; The fix for the bug does not change the behavior/functionality of the vpn-idle-timeout for IPSec nor for

SSL.

The bugs intention was to document what the expected behavior should be in the command line as prior to the bug fix the explanation was not correct. Heres what the bug fix did:

In the versions of code without the bug fix the command sensitive help incorrectly stated:

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:
  <1-35791394>  Number of minutes
  none          Disable timeout and allow an unlimited idle period

In the versions of the code with the bug fix the command sensitive help correctly states the expected behavior (If you are not seeing this in your 8.2.1.11 code let me know):

ASA(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:
  <1-35791394>  Number of minutes
  none          IPsec VPN: Disable timeout and allow an unlimited idle period;
                SSL VPN: Use value of default-idle-timeout


-heather

24322
Views
0
Helpful
3
Replies
CreatePlease to create content