Cisco VPN Client Timeout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cisco VPN Client Timeout

L1 Bithead

Hello,

we are using Cisco VPN Clients to connect to our Palo Alto Network Device, it works like a charm, but the user are logged out after one hour.

The timeout for  Login Lifetime is set to 30 day, and the Idle Timeout is set to 8 hours.

Any suggestion?

Jörg

1 accepted solution

Accepted Solutions

PANOS version 5.0 solves this problem, I've tried in lab just yesterday. in the next d days I'll try even version 4.1.9

Globalptotect is not so trashy 🙂 give it a chance

View solution in original post

21 REPLIES 21

L1 Bithead

Do you mean that you connect thru the Palo Alto device. If so I have noticed that if DHCP lease provided by the PA expires, Cisco VPN disconnects.

Hi,

I am also having this issue on 4.1.3 on a PA500. There are no DHCP lease timers on the Gateway DHCP pool. My timeout configuration is also set to 3 days for login lifetime and login inactivity.

Hello,

Did you ever manage to resolve the issue of disconnecting after an hour?

Many Thanks

L3 Networker

Hi, have you resolved this issue?

I found this behavior with 4.1.6 with almost all the devices (200-500 2000 series etc). Every 45 min I receive a disconnect from the gateway with or without traffic passing thru the vpn tunnel. Cisco Vpn is quite old and not longer supported right now (Anyconnect is the actual main client for Cisco) but is slightly better than GlobalProtect Client and connects like a flash, also is native in Ipad/Iphone and I don't want the 45m/1h limitation.

I also tried to expand session + tcp/dns timeout of ciscovpn application (how the ipsec remote access via cisco vpn is detected) without any luck.

Thanks

Hello,

Same problem on a PA 500 running 4.1.7. After one hour, disconnect...

Regards,

HA

Same problem here on a PA-200 with the Cisco client. Disconnects seconds before 1:00hr, consistently.

The GlobalProtect client is trash so we are using Cisco clients.

PANOS version 5.0 solves this problem, I've tried in lab just yesterday. in the next d days I'll try even version 4.1.9

Globalptotect is not so trashy 🙂 give it a chance

Any chance the fix made it into 4.8h3 or 4.9?  I don't have a lab, and won't be able to go to 5.0 until at least 5.1 (rules), so I can't really test.

Thanks!

4.1.8hf3 or 4.1.9 are useless for this problem, both tried in the last few days, always 60 min before automagic logoff,  I hope in later versions.

5.0 is not so stable, I saw strange behavior in my 2050s so until 5.0.3 i don't think planning upgrading too.

Not applicable

I'm on 4.1.9 and this issue occurs for my clients also.

Does anyone know if the addressed issue in  4.1.10  listed as...

46059 – Session timeout settings were not in effect when set to the maximum value

...perhaps pertains to this?   Im guessing no, but wanted to see if anyone knew.

I'm experiencing the same issue. "Cisco" IPSEC clients fail due to a rekey issue after about 3300 seconds. It's really a shame -- other than the timeout issue, they work perfectly and provide nearly universal cross-platform compatibility.

I may be upgrading to 5.x soon to address an unrelated user-id issue. I will post back to this thread if 5.x fixes it.

Not applicable

PanOS 5.0.3 does NOT solve this problem for the built-in cisco client in OSX.

Whoever is responsible for the cursed pestilence that is ipsec needs to be staked out on a fire ant mound and drizzled with honey.

I use cisco vpn client over win 7 with a vm-100 5.03 and the tunnel is up for  8 hours (and more if configured). Verify that GP Gateway has Inactivity Logout configured for at least 6/8 hours.

As you see form the command extracted for a newly GP ipsec phase 2 created has a lifetime of 8 hours 28778/3600, while with 4.1.X the lifetime was always below 3600

admin@VM-100> show vpn ipsec-sa tunnel Gateway1-N

GwID/client IP  TnID Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)       SPI(out)      life(Sec/KB)    

192.168.Y.Y    1 X.X.X.X:49364              Gateway1-N(Gateway1-N)           ESP/A256/SHA1 B5A1E116 4E33D6A4  28778/0    

Sometimes 5.03 has problem in ipsec rekey (to be solved hopefully in 5.05 or 5.06) so maybe your problem is related to this issue, not to the lifetime of cisco vpn client.

  • 1 accepted solution
  • 10985 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!