Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7125
Views
5
Helpful
8
Replies

VPN Timeout Issue

Go to solution
macgyver0099_1
Level 1
Level 1

‎12-26-2018 08:37 AM

Hi,

 

Currently our network allows unlimited VPN timeout duration, meaning, once a user logs on to our network via vpn, that user remains on until s/he logs out of the system manually.  We attempted to limit this by adding a timeout value on the firewall (where our vpn logins have been assigned) for our anyconnect sessions to six hours as can be see from the command output below to no avail.  My question, therefore, is how do we force vpn sessions to disconnect after six hours of idle time?

 

config t
group-policy Any.Connect.Policy attributes

vpn-idle-timeout 360

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to macgyver0099_1

‎01-01-2019 02:46 AM - edited ‎01-01-2019 02:46 AM

could you try this

 

group-policy cc-VPN-u$r attributes
 vpn-idle-timeout 30
 vpn-session-timeout XX   (mean after XX hours user-will discounted)
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ClientVPN
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout 360

 vpn-session-timeout XX
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 address-pools value vpn_pool
 webvpn
  anyconnect ssl dtls none
  anyconnect ask none default webvpn
group-policy Any.Connect.Policy internal
group-policy Any.Connect.Policy attributes
 dns-server value x.x.x.x x.x.x.x
 vpn-idle-timeout 360

 vpn-session-timeout XX
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ClientVPN
 default-domain value <>
 split-dns value <>
 address-pools value vpn_pool
dynamic-access-policy-record DfltAccessPolicy

please do not forget to rate.

View solution in original post

8 Replies 8

Go to solution
Sheraz.Salim
VIP
VIP

‎12-26-2018 04:24 PM

This is the command you need 

 

group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1440

 

 

please do not forget to rate.
0 Helpful

Go to solution
macgyver0099_1
Level 1
Level 1
In response to Sheraz.Salim

‎12-27-2018 06:25 AM

Thank you very much.  Many apologies for the potential lack of foresight, but should that timeout value be 360 to equal six hours or is the 1440 a required arbitrary value of some sort necessary to make the idle disconnect process work?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to macgyver0099_1

‎12-27-2018 06:50 AM

Hi you can set the idle time value according to your needs. I just put a random number.

 

please do not forget to rate.
0 Helpful

Go to solution
macgyver0099_1
Level 1
Level 1
In response to Sheraz.Salim

‎12-31-2018 09:20 AM

Hi,

 

We configured that parameter and tested over the weekend still to no avail.  I know I'm missing something, but I'm not sure what.

 

Here's what we now have:

 

group-policy cc-VPN-u$r internal
group-policy cc-VPN-u$r attributes
 vpn-idle-timeout 30
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ClientVPN
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout 360
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 address-pools value vpn_pool
 webvpn
  anyconnect ssl dtls none
  anyconnect ask none default webvpn
group-policy Any.Connect.Policy internal
group-policy Any.Connect.Policy attributes
 dns-server value x.x.x.x x.x.x.x
 vpn-idle-timeout 360
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ClientVPN
 default-domain value <>
 split-dns value <>
 address-pools value vpn_pool
dynamic-access-policy-record DfltAccessPolicy

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to macgyver0099_1

‎12-31-2018 10:50 AM - edited ‎12-31-2018 11:28 AM

What is the ASA software version you using? and what anyconnect version you using?

please do not forget to rate.
0 Helpful

Go to solution
macgyver0099_1
Level 1
Level 1
In response to Sheraz.Salim

‎12-31-2018 03:12 PM

ASA5545

asa983-16-smp-k8.bin

anyconnect-win-4.6.00362-webdeploy-k9.pkg

 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to macgyver0099_1

‎01-01-2019 02:46 AM - edited ‎01-01-2019 02:46 AM

could you try this

 

group-policy cc-VPN-u$r attributes
 vpn-idle-timeout 30
 vpn-session-timeout XX   (mean after XX hours user-will discounted)
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ClientVPN
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout 360

 vpn-session-timeout XX
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 address-pools value vpn_pool
 webvpn
  anyconnect ssl dtls none
  anyconnect ask none default webvpn
group-policy Any.Connect.Policy internal
group-policy Any.Connect.Policy attributes
 dns-server value x.x.x.x x.x.x.x
 vpn-idle-timeout 360

 vpn-session-timeout XX
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ClientVPN
 default-domain value <>
 split-dns value <>
 address-pools value vpn_pool
dynamic-access-policy-record DfltAccessPolicy

please do not forget to rate.

Go to solution
macgyver0099_1
Level 1
Level 1
In response to Sheraz.Salim

‎01-03-2019 06:39 AM

That was it.  Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents