There are two settings I’d like to write about and those vpn-idle-timeout and vpn-session-timeout. You’ll make changes to both for remote access Anyconnect VPNs but for site-to-site VPNs, you only really tune the idle-timeout.
vpn-idle-timeout {minutes} = the amount of time the VPN connection sits idle (no activity seen on the tunnel) before it is disconnected
vpn-session-timeout {minutes} = the amount of time the VPN tunnel is allowed to stay up regardless of whether there is activity or not
Defaults:
vpn-idle-timeout = 30
vpn-session-timeout = none
Set the vpn-idle-timeout and vpn-session-timeout to NONE if you want the tunnel to always stay up. One thing to keep in mind is that a VPN tunnel will go down after 30 minutes of inactivity. It won’t go up until ineteresting traffic passes through it.
To view a users Anyconnect VPN timeout:
tpa-asa-vpn-ra/pri/act# sh vpn-sessiondb detail anyconnect filter name KCordero Session Type: AnyConnect Detailed Username : KCordero@cordero.me Index : 209 Assigned IP : 172.16.200.123 Public IP : 48.220.179.196 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1 Bytes Tx : 1093764567 Bytes Rx : 303576927 Pkts Tx : 1149723 Pkts Rx : 1050545 Pkts Tx Drop : 603 Pkts Rx Drop : 0 Group Policy : GP_ITAdmins Tunnel Group : Certificate Login Time : 09:21:35 EST Wed Feb 28 2018 Duration : 8d 6h:12m:35s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : ac1ecfd1000d10005a96baef Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 209.1 Public IP : 48.220.179.196 Encryption : none Hashing : none TCP Src Port : 49748 TCP Dst Port : 443 Auth Mode : Certificate Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes Client OS : win Client OS Ver: 10.0.15063 Client Type : AnyConnect Client Ver : Cisco AnyConnect VPN Agent for Windows 4.4.03034 Bytes Tx : 25816 Bytes Rx : 0 Pkts Tx : 18 Pkts Rx : 0 Pkts Tx Drop : 0 Pkts Rx Drop : 0 SSL-Tunnel: Tunnel ID : 209.4 Assigned IP : 172.30.206.163 Public IP : 48.220.179.196 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384 Encapsulation: TLSv1.2 TCP Src Port : 57712 TCP Dst Port : 443 Auth Mode : Certificate Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes Client OS : Windows Client Type : SSL VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.4.03034 Bytes Tx : 21801 Bytes Rx : 55988 Pkts Tx : 52 Pkts Rx : 65 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-DACL_IT-Carte-Blanche-56c3551e DTLS-Tunnel: Tunnel ID : 209.5 Assigned IP : 172.30.206.163 Public IP : 48.220.179.196 Encryption : AES128 Hashing : SHA1 Ciphersuite : AES128-SHA Encapsulation: DTLSv1.0 UDP Src Port : 51104 UDP Dst Port : 443 Auth Mode : Certificate Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.4.03034 Bytes Tx : 669348450 Bytes Rx : 207444727 Pkts Tx : 723314 Pkts Rx : 692245 Pkts Tx Drop : 349 Pkts Rx Drop : 0 Filter Name : #ACSACL#-IP-DACL_IT-Carte-Blanche-56c3551e
To view the VPN Tunnel timeout:
tpa-asa-vpn-ra/pri/act#sh vpn-sessiondb detail l2l Session Type: LAN-to-LAN Detailed Connection : 48.220.179.196 Index : 25292 IP Addr : 48.220.179.196 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES128 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 517869639 Bytes Rx : 3635925653 Login Time : 07:43:25 EDT Fri Oct 4 2019 Duration : 34d 6h:48m:23s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 25292.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 61333 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 25292.2 Local Addr : 192.168.10.0/255.255.254.0/6/0 Remote Addr : 172.30.10.0/255.255.255.0/6/80 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28211 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4587731 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes Bytes Tx : 517869639 Bytes Rx : 3635925653 Pkts Tx : 174337783 Pkts Rx : 179996492
I just want to note that I love the detailed options of those commands. You get see so much data about the VPN.
Now where are these set? You will see these set under the group-policy attributes settings.
group-policy GP_ITAdmins attributes vpn-idle-timeout 600 vpn-session-timeout 2880
So above I’m setting the idle-timeout to 10 hours and session-timeout to 48 hours.