75-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter75 Configuring AnyConnect VPN Client Connections
Configuring AnyConnect Connections
In the following example, compression is disabled for all SSL VPN connections globally:
hostname(config)# no compression
Changing Compression for Groups and Users
To change compression for a specific group or user, use the anyconnect ssl compression command in
the group-policy and username webvpn modes:
compression {deflate | none}
no anyconnect ssl compression {deflate | none}
By default, for groups and users, SSL compression is set to deflate (enabled).
To remove the anyconnect ssl compression command from the configuration and cause the value to be
inherited from the global setting, use the no form of the command:
In the following example, compression is disabled for the group-policy sales:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)#anyconnect ssl compression none
Adjusting MTU Size
You can adjust the MTU size (from 256 to 1406 bytes) for SSL VPN connections established by the
client with the anyconnect mtu command from group policy webvpn or username webvpn configuration
mode:
[no]anyconnect mtu size
This command affects only the AnyConnect client. The legacy Cisco SSL VPN Client () is not capable
of adjusting to different MTU sizes.
The default for this command in the default group policy is no anyconnect mtu. The MTU size is
adjusted automatically based on the MTU of the interface that the connection uses, minus the
IP/UDP/DTLS overhead.
This command affects client connections established in SSL and those established in SSL with DTLS.
The following example configures the MTU size to 1200 bytes for the group policy telecommuters:
hostname(config)# group-policy telecommuters attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)#anyconnect mtu 1200
Configuring Session Timeouts
You can limit how long the ASA keeps an AnyConnect VPN connection available to the user even with
no activity. If a VPN session goes idle, you can terminate the connection Terminating the AnyConnect
connection requires the user to re-authenticate their endpoint to the secure gateway and create a new
VPN connection.
The following configuration parameters terminate the VPN session based on a simple timeout:
default-idle-timeout - Terminates any user's session when the session is inactive for the specified
time. The default is 1800 seconds (30 minutes).
vpn-idle-timeout - Terminates any user's session when the session is inactive for the specified time.
For SSL-VPN only, if vpn-idle-timeout is not configured, then default-idle-timeout is used.
The following example shows how set a vpn-idle-timeout of 10 minutes, and to descrease the
default-idle-timeout to 1200 seconds (20 minutes):