Cisco Systems ASA5515K9, ASA 5500

67-43

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Group Policies

hostname(config-group-policy)#

AnyConnect (SSL IPsec/IKEv2): Use the global WebVPN default-idle-timeout value (seconds) from the

command: hostname(config-webvpn)# default-idle-timeout

The range for this value in the WebVPN default-idle-timeout command is 60-86400 seconds; the

default Global WebVPN Idle timeout in seconds -- default is 1800 seconds (30 min).

Note A non-zero idle timeout value is required by ASA for all AnyConnect connections.

For a WebVPN user, the default-idle-timeout value is enforced only if vpn-idle-timeout none is set in

the group policy/username attribute.

Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable timeout and allow for an unlimited idle

period.The following example shows how to set a VPN idle timeout of 15 minutes for the group policy

named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-idle-timeout 15

hostname(config-group-policy)#

Step4 Configure the the time at which an idle-timeout alert message is displayed to the user using the

vpn-idle-timeout alert-interval {minutes | none} command. This alert message tells users how

many minutes left they have until their VPN session is disconnected due to inactivity.

The following example shows how to set vpn-idle-timeout alert-interval so that users will be

notified 20 minutes before their VPN session is disconnected due to inactivity. You can specify a range

of 1-30 minutes.

hostname(config-webvpn)# vpn-idle-timeout alert-interval 20

The none parameter of the command indicates that users will not receive an alert.

The no form of the command: no vpn-idle-timeout alert-interval

indicates that the VPN idle timeout alert-interval attribute will be inherited from the Default Group

Policy.

Step5 Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command

in group-policy configuration mode or in username configuration mode.

hostname(config-group-policy)# vpn-session-timeout {minutes | none}

hostname(config-group-policy)#

The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value.

At the end of this period of time, the ASA terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the

none keyword instead of specifying a number of minutes with this command. Specifying the none

keyword permits an unlimited session timeout period and sets session timeout with a null value, which

disallows a session timeout.

The following example shows how to set a VPN session timeout of 180 minutes for the group policy

named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-session-timeout 180

hostname(config-group-policy)#

Step6 Configure the the time at which a session-timeout alert message is displayed to the user using the

vpn-session-timeout alert-interval {minutes | none} command. This alert message tells users how

many minutes left they have until their VPN session is automatically disconnected.