67-43
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
hostname(config-group-policy)#
AnyConnect (SSL IPsec/IKEv2): Use the global WebVPN default-idle-timeout value (seconds) from the
command: hostname(config-webvpn)# default-idle-timeout
The range for this value in the WebVPN default-idle-timeout command is 60-86400 seconds; the
default Global WebVPN Idle timeout in seconds -- default is 1800 seconds (30 min).
Note A non-zero idle timeout value is required by ASA for all AnyConnect connections.
For a WebVPN user, the default-idle-timeout value is enforced only if vpn-idle-timeout none is set in
the group policy/username attribute.
Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable timeout and allow for an unlimited idle
period.The following example shows how to set a VPN idle timeout of 15 minutes for the group policy
named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-idle-timeout 15
hostname(config-group-policy)#
Step4 Configure the the time at which an idle-timeout alert message is displayed to the user using the
vpn-idle-timeout alert-interval {minutes | none} command. This alert message tells users how
many minutes left they have until their VPN session is disconnected due to inactivity.
The following example shows how to set vpn-idle-timeout alert-interval so that users will be
notified 20 minutes before their VPN session is disconnected due to inactivity. You can specify a range
of 1-30 minutes.
hostname(config-webvpn)# vpn-idle-timeout alert-interval 20
The none parameter of the command indicates that users will not receive an alert.
The no form of the command: no vpn-idle-timeout alert-interval
indicates that the VPN idle timeout alert-interval attribute will be inherited from the Default Group
Policy.
Step5 Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command
in group-policy configuration mode or in username configuration mode.
hostname(config-group-policy)# vpn-session-timeout {minutes | none}
hostname(config-group-policy)#
The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value.
At the end of this period of time, the ASA terminates the connection.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the
none keyword instead of specifying a number of minutes with this command. Specifying the none
keyword permits an unlimited session timeout period and sets session timeout with a null value, which
disallows a session timeout.
The following example shows how to set a VPN session timeout of 180 minutes for the group policy
named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-session-timeout 180
hostname(config-group-policy)#
Step6 Configure the the time at which a session-timeout alert message is displayed to the user using the
vpn-session-timeout alert-interval {minutes | none} command. This alert message tells users how
many minutes left they have until their VPN session is automatically disconnected.