Does anyone know if the addressed issue in 4.1.10 listed as...
46059 – Session timeout settings were not in effect when set to the maximum value
...perhaps pertains to this? Im guessing no, but wanted to see if anyone knew.
I'm experiencing the same issue. "Cisco" IPSEC clients fail due to a rekey issue after about 3300 seconds. It's really a shame -- other than the timeout issue, they work perfectly and provide nearly universal cross-platform compatibility.
I may be upgrading to 5.x soon to address an unrelated user-id issue. I will post back to this thread if 5.x fixes it.
PanOS 5.0.3 does NOT solve this problem for the built-in cisco client in OSX.
Whoever is responsible for the cursed pestilence that is ipsec needs to be staked out on a fire ant mound and drizzled with honey.
I use cisco vpn client over win 7 with a vm-100 5.03 and the tunnel is up for 8 hours (and more if configured). Verify that GP Gateway has Inactivity Logout configured for at least 6/8 hours.
As you see form the command extracted for a newly GP ipsec phase 2 created has a lifetime of 8 hours 28778/3600, while with 4.1.X the lifetime was always below 3600
admin@VM-100> show vpn ipsec-sa tunnel
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)
192.168.Y.Y 1 X.X.X.X:49364
Sometimes 5.03 has problem in ipsec rekey (to be solved hopefully in 5.05 or 5.06) so maybe your problem is related to this issue, not to the lifetime of cisco vpn client.
I am on Version 5.07 and I have the same issues. Global Protect clients receive the correct values. Cisco Clients will time out after 8 hours.
Is there a fix for this is or is this just another unsolved issue?
Split tunnel on IPSEC is working but only if the networks are simpler enough. For examples if access routes are 192.168.0.0/24 and 172.16.0.0/24 this goes to full tunnel. Technical limitation probably will never fix.
Cisco IPSEC are stuck only to 8 hours and other IPSEC flavors (IPSEC on MacOSX) have even worst timeout.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!