Cisco VPN Client Timeout

Reply
Not applicable

Re: Cisco VPN Client Timeout

I'm on 4.1.9 and this issue occurs for my clients also.

Not applicable

Re: Cisco VPN Client Timeout

Does anyone know if the addressed issue in  4.1.10  listed as...

46059 – Session timeout settings were not in effect when set to the maximum value

...perhaps pertains to this?   Im guessing no, but wanted to see if anyone knew.

L0 Member

Re: Cisco VPN Client Timeout

I'm experiencing the same issue. "Cisco" IPSEC clients fail due to a rekey issue after about 3300 seconds. It's really a shame -- other than the timeout issue, they work perfectly and provide nearly universal cross-platform compatibility.

I may be upgrading to 5.x soon to address an unrelated user-id issue. I will post back to this thread if 5.x fixes it.

Not applicable

Re: Cisco VPN Client Timeout

PanOS 5.0.3 does NOT solve this problem for the built-in cisco client in OSX.

Whoever is responsible for the cursed pestilence that is ipsec needs to be staked out on a fire ant mound and drizzled with honey.

NGS
L3 Networker

Re: Cisco VPN Client Timeout

I use cisco vpn client over win 7 with a vm-100 5.03 and the tunnel is up for  8 hours (and more if configured). Verify that GP Gateway has Inactivity Logout configured for at least 6/8 hours.

As you see form the command extracted for a newly GP ipsec phase 2 created has a lifetime of 8 hours 28778/3600, while with 4.1.X the lifetime was always below 3600

admin@VM-100> show vpn ipsec-sa tunnel Gateway1-N

GwID/client IP  TnID Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)       SPI(out)      life(Sec/KB)    

192.168.Y.Y    1 X.X.X.X:49364              Gateway1-N(Gateway1-N)           ESP/A256/SHA1 B5A1E116 4E33D6A4  28778/0    

Sometimes 5.03 has problem in ipsec rekey (to be solved hopefully in 5.05 or 5.06) so maybe your problem is related to this issue, not to the lifetime of cisco vpn client.

Not applicable

Re: Cisco VPN Client Timeout

I am on Version 5.07 and I have the same issues. Global Protect clients receive the correct values. Cisco Clients will time out after 8 hours.

Is there a fix for this is or is this just another unsolved issue?

Re: Cisco VPN Client Timeout

same problem on 6.1.2!

also, the split-tunnel configuration DOES NOT WORK! the tunnel always ends up being full-tunnel

L7 Applicator

Re: Cisco VPN Client Timeout

I'm pretty sure that 3rd party IPSec clients only support full tunnel.  If you require split tunneling, you should use the GlobalProtect client. 

Re: Cisco VPN Client Timeout

really? why is there no mention about this in any documents?

shame on you paloalto

NGS
L3 Networker

Re: Cisco VPN Client Timeout

Split tunnel on IPSEC is working but only if the networks are simpler enough. For examples if access routes are 192.168.0.0/24 and 172.16.0.0/24 this goes to full tunnel. Technical limitation probably will never fix.

Cisco IPSEC are stuck only to 8 hours and other IPSEC flavors (IPSEC on MacOSX) have even worst timeout.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!