04-20-2012 07:01 AM
Hello,
we are using Cisco VPN Clients to connect to our Palo Alto Network Device, it works like a charm, but the user are logged out after one hour.
The timeout for Login Lifetime is set to 30 day, and the Idle Timeout is set to 8 hours.
Any suggestion?
Jörg
11-13-2012 11:49 AM
PANOS version 5.0 solves this problem, I've tried in lab just yesterday. in the next d days I'll try even version 4.1.9
Globalptotect is not so trashy 🙂 give it a chance
04-20-2012 11:58 AM
Do you mean that you connect thru the Palo Alto device. If so I have noticed that if DHCP lease provided by the PA expires, Cisco VPN disconnects.
05-20-2012 05:37 PM
Hi,
I am also having this issue on 4.1.3 on a PA500. There are no DHCP lease timers on the Gateway DHCP pool. My timeout configuration is also set to 3 days for login lifetime and login inactivity.
08-14-2012 08:42 AM
Hello,
Did you ever manage to resolve the issue of disconnecting after an hour?
Many Thanks
09-05-2012 02:11 AM
Hi, have you resolved this issue?
I found this behavior with 4.1.6 with almost all the devices (200-500 2000 series etc). Every 45 min I receive a disconnect from the gateway with or without traffic passing thru the vpn tunnel. Cisco Vpn is quite old and not longer supported right now (Anyconnect is the actual main client for Cisco) but is slightly better than GlobalProtect Client and connects like a flash, also is native in Ipad/Iphone and I don't want the 45m/1h limitation.
I also tried to expand session + tcp/dns timeout of ciscovpn application (how the ipsec remote access via cisco vpn is detected) without any luck.
Thanks
09-06-2012 02:56 AM
Hello,
Same problem on a PA 500 running 4.1.7. After one hour, disconnect...
Regards,
HA
11-13-2012 11:41 AM
Same problem here on a PA-200 with the Cisco client. Disconnects seconds before 1:00hr, consistently.
The GlobalProtect client is trash so we are using Cisco clients.
11-13-2012 11:49 AM
PANOS version 5.0 solves this problem, I've tried in lab just yesterday. in the next d days I'll try even version 4.1.9
Globalptotect is not so trashy 🙂 give it a chance
11-19-2012 01:17 PM
Any chance the fix made it into 4.8h3 or 4.9? I don't have a lab, and won't be able to go to 5.0 until at least 5.1 (rules), so I can't really test.
Thanks!
11-19-2012 02:08 PM
4.1.8hf3 or 4.1.9 are useless for this problem, both tried in the last few days, always 60 min before automagic logoff, I hope in later versions.
5.0 is not so stable, I saw strange behavior in my 2050s so until 5.0.3 i don't think planning upgrading too.
11-19-2012 06:58 PM
I'm on 4.1.9 and this issue occurs for my clients also.
01-22-2013 01:39 PM
Does anyone know if the addressed issue in 4.1.10 listed as...
46059 – Session timeout settings were not in effect when set to the maximum value
...perhaps pertains to this? Im guessing no, but wanted to see if anyone knew.
01-26-2013 05:18 PM
I'm experiencing the same issue. "Cisco" IPSEC clients fail due to a rekey issue after about 3300 seconds. It's really a shame -- other than the timeout issue, they work perfectly and provide nearly universal cross-platform compatibility.
I may be upgrading to 5.x soon to address an unrelated user-id issue. I will post back to this thread if 5.x fixes it.
05-08-2013 12:15 AM
PanOS 5.0.3 does NOT solve this problem for the built-in cisco client in OSX.
Whoever is responsible for the cursed pestilence that is ipsec needs to be staked out on a fire ant mound and drizzled with honey.
05-08-2013 12:54 AM
I use cisco vpn client over win 7 with a vm-100 5.03 and the tunnel is up for 8 hours (and more if configured). Verify that GP Gateway has Inactivity Logout configured for at least 6/8 hours.
As you see form the command extracted for a newly GP ipsec phase 2 created has a lifetime of 8 hours 28778/3600, while with 4.1.X the lifetime was always below 3600
admin@VM-100> show vpn ipsec-sa tunnel
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)
192.168.Y.Y 1 X.X.X.X:49364
Sometimes 5.03 has problem in ipsec rekey (to be solved hopefully in 5.05 or 5.06) so maybe your problem is related to this issue, not to the lifetime of cisco vpn client.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
