Cisco ASA VPN Timeouts

There are two settings I’d like to write about and those vpn-idle-timeout and vpn-session-timeout. You’ll make changes to both for remote access Anyconnect VPNs but for site-to-site VPNs, you only really tune the idle-timeout.

vpn-idle-timeout {minutes} = the amount of time the VPN connection sits idle (no activity seen on the tunnel) before it is disconnected
vpn-session-timeout {minutes} = the amount of time the VPN tunnel is allowed to stay up regardless of whether there is activity or not

Defaults:
vpn-idle-timeout = 30
vpn-session-timeout = none

Set the vpn-idle-timeout and vpn-session-timeout to NONE if you want the tunnel to always stay up. One thing to keep in mind is that a VPN tunnel will go down after 30 minutes of inactivity. It won’t go up until ineteresting traffic passes through it.

To view a users Anyconnect VPN timeout:

tpa-asa-vpn-ra/pri/act# sh vpn-sessiondb detail anyconnect filter name KCordero

Session Type: AnyConnect Detailed

Username     : KCordero@cordero.me  Index        : 209
Assigned IP  : 172.16.200.123         Public IP    : 48.220.179.196
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 1093764567             Bytes Rx     : 303576927
Pkts Tx      : 1149723                Pkts Rx      : 1050545
Pkts Tx Drop : 603                    Pkts Rx Drop : 0
Group Policy : GP_ITAdmins              Tunnel Group : Certificate
Login Time   : 09:21:35 EST Wed Feb 28 2018
Duration     : 8d 6h:12m:35s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : ac1ecfd1000d10005a96baef
Security Grp : none                   

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 209.1
  Public IP    : 48.220.179.196
  Encryption   : none                   Hashing      : none                   
  TCP Src Port : 49748                  TCP Dst Port : 443                    
  Auth Mode    : Certificate            
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes              
  Client OS    : win                    
  Client OS Ver: 10.0.15063             
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.4.03034
  Bytes Tx     : 25816                  Bytes Rx     : 0                      
  Pkts Tx      : 18                     Pkts Rx      : 0                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  
SSL-Tunnel:
  Tunnel ID    : 209.4
  Assigned IP  : 172.30.206.163         Public IP    : 48.220.179.196
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384                       
  Encapsulation: TLSv1.2                TCP Src Port : 57712                  
  TCP Dst Port : 443                    Auth Mode    : Certificate            
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes              
  Client OS    : Windows                
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.4.03034
  Bytes Tx     : 21801                  Bytes Rx     : 55988                  
  Pkts Tx      : 52                     Pkts Rx      : 65                     
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-DACL_IT-Carte-Blanche-56c3551e
  
DTLS-Tunnel:
  Tunnel ID    : 209.5
  Assigned IP  : 172.30.206.163         Public IP    : 48.220.179.196
  Encryption   : AES128                 Hashing      : SHA1                   
  Ciphersuite  : AES128-SHA                                        
  Encapsulation: DTLSv1.0               UDP Src Port : 51104                  
  UDP Dst Port : 443                    Auth Mode    : Certificate            
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes             
  Client OS    : Windows                
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.4.03034
  Bytes Tx     : 669348450              Bytes Rx     : 207444727              
  Pkts Tx      : 723314                 Pkts Rx      : 692245                 
  Pkts Tx Drop : 349                    Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-DACL_IT-Carte-Blanche-56c3551e

To view the VPN Tunnel timeout:

tpa-asa-vpn-ra/pri/act#sh vpn-sessiondb detail l2l    

Session Type: LAN-to-LAN Detailed
 
Connection   : 48.220.179.196
Index        : 25292                 
IP Addr      : 48.220.179.196
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256 
 IPsec: (1)AES128
Hashing      : IKEv1: (1)SHA1 
IPsec: (1)SHA1
Bytes Tx     : 517869639             
Bytes Rx     : 3635925653
Login Time   : 07:43:25 EDT Fri Oct 4 2019
Duration     : 34d 6h:48m:23s
 
IKEv1 Tunnels: 1
IPsec Tunnels: 1
 
IKEv1:
  Tunnel ID    : 25292.1
  UDP Src Port : 500                   
  UDP Dst Port : 500
  IKE Neg Mode : Main                  
  Auth Mode    : preSharedKeys
  Encryption   : AES256                
  Hashing      : SHA1
  Rekey Int (T): 86400 Seconds         
  Rekey Left(T): 61333 Seconds
  D/H Group    : 2
  Filter Name  :

IPsec:
  Tunnel ID    : 25292.2
  Local Addr  
  : 192.168.10.0/255.255.254.0/6/0
  Remote Addr 
  : 172.30.10.0/255.255.255.0/6/80
  Encryption   : AES256               
  Hashing      : SHA1                   
  Encapsulation: Tunnel                

  Rekey Int (T): 28800 Seconds         
  Rekey Left(T): 28211 Seconds          
  Rekey Int (D): 4608000 K-Bytes       
  Rekey Left(D): 4587731 K-Bytes        
  Idle Time Out: 30 Minutes           
 Idle TO Left :  30 Minutes            

  Bytes Tx     : 517869639             
  Bytes Rx     : 3635925653            

  Pkts Tx      : 174337783             
  Pkts Rx      : 179996492     

I just want to note that I love the detailed options of those commands. You get see so much data about the VPN.

Now where are these set? You will see these set under the group-policy attributes settings.

group-policy GP_ITAdmins attributes
 vpn-idle-timeout 600
 vpn-session-timeout 2880

So above I’m setting the idle-timeout to 10 hours and session-timeout to 48 hours.

More Stories
Best practices and advanced features for VMware High Availability