Cisco Systems ASA5515K9, ASA 5500 Configuring VPN-Specific Attributes

67-42

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Group Policies

Configuring VPN-Specific Attributes

Follow the steps in this section to set the VPN attribute values. The VPN attributes control the access

hours, the number of simultaneous logins allowed, the timeouts, the egress VLAN or ACL to apply to

VPN sessions, and the tunnel protocol:

Step1 Set the VPN access hours. To do this, you associate a group policy with a configured time-range policy,

using the vpn-access-hours command in group-policy configuration mode.

hostname(config-group-policy)# vpn-access-hours value {time-range | none}

A group policy can inherit a time-range value from a default or specified group policy. To prevent this

inheritance, enter the none keyword instead of the name of a time-range in this command. This keyword

sets VPN access hours to a null value, which allows no time-range policy.

The time-range variable is the name of a set of access hours defined in global configuration mode using

the time-range command. The following example shows how to associate the group policy named

FirstGroup with a time-range policy called 824:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-access-hours value 824

Step2 Specify the number of simultaneous logins allowed for any user, using the vpn-simultaneous-logins

command in group-policy configuration mode.

hostname(config-group-policy)# vpn-simultaneous-logins integer

The default value is 3. The range is an integer in the range 0 through 2147483647. A group policy can

inherit this value from another group policy. Enter 0 to disable login and prevent user access. The

following example shows how to allow a maximum of 4 simultaneous logins for the group policy named

FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-simultaneous-logins 4

hostname(config-group-policy)#

Note While the maximum limit for the number of simultaneous logins is very large, allowing several

simultaneous logins could compromise security and affect performance.

Stale AnyConnect, IPsec Client, or Clientless sessions (sessions that are terminated abnormally) might

remain in the session database, even though a “new” session has been established with the same

username.

If the value of vpn-simultaneous-logins is 1, and the same user logs in again after an abnormal

termination, then the stale session is removed from the database and the new session is established. If,

however, the existing session is still an active connection and the same user logs in again, perhaps from

another PC, the first session is logged off and removed from the database, and the new session is

established.

If the number of simultaneous logins is a value greater than 1, then, when you have reached that

maximum number and try to log in again, the session with the longest idle time is logged off. If all

current sessions have been idle an equally long time, then the oldest session is logged off. This action

frees up a session and allows the new login.

Step3 Configure the user timeout period by entering the vpn-idle-timeout command in group-policy

configuration mode or in username configuration mode:

hostname(config-group-policy)# vpn-idle-timeout {minutes | none}