Cisco VPN Client Timeout
Showing results for 
Search instead for 
Did you mean: 

Cisco VPN Client Timeout

L1 Bithead


we are using Cisco VPN Clients to connect to our Palo Alto Network Device, it works like a charm, but the user are logged out after one hour.

The timeout for  Login Lifetime is set to 30 day, and the Idle Timeout is set to 8 hours.

Any suggestion?



Not applicable

I'm on 4.1.9 and this issue occurs for my clients also.

Does anyone know if the addressed issue in  4.1.10  listed as...

46059 – Session timeout settings were not in effect when set to the maximum value

...perhaps pertains to this?   Im guessing no, but wanted to see if anyone knew.

I'm experiencing the same issue. "Cisco" IPSEC clients fail due to a rekey issue after about 3300 seconds. It's really a shame -- other than the timeout issue, they work perfectly and provide nearly universal cross-platform compatibility.

I may be upgrading to 5.x soon to address an unrelated user-id issue. I will post back to this thread if 5.x fixes it.

Not applicable

PanOS 5.0.3 does NOT solve this problem for the built-in cisco client in OSX.

Whoever is responsible for the cursed pestilence that is ipsec needs to be staked out on a fire ant mound and drizzled with honey.

I use cisco vpn client over win 7 with a vm-100 5.03 and the tunnel is up for  8 hours (and more if configured). Verify that GP Gateway has Inactivity Logout configured for at least 6/8 hours.

As you see form the command extracted for a newly GP ipsec phase 2 created has a lifetime of 8 hours 28778/3600, while with 4.1.X the lifetime was always below 3600

admin@VM-100> show vpn ipsec-sa tunnel Gateway1-N

GwID/client IP  TnID Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)       SPI(out)      life(Sec/KB)    

192.168.Y.Y    1 X.X.X.X:49364              Gateway1-N(Gateway1-N)           ESP/A256/SHA1 B5A1E116 4E33D6A4  28778/0    

Sometimes 5.03 has problem in ipsec rekey (to be solved hopefully in 5.05 or 5.06) so maybe your problem is related to this issue, not to the lifetime of cisco vpn client.

Not applicable

I am on Version 5.07 and I have the same issues. Global Protect clients receive the correct values. Cisco Clients will time out after 8 hours.

Is there a fix for this is or is this just another unsolved issue?

same problem on 6.1.2!

also, the split-tunnel configuration DOES NOT WORK! the tunnel always ends up being full-tunnel

I'm pretty sure that 3rd party IPSec clients only support full tunnel.  If you require split tunneling, you should use the GlobalProtect client. 

really? why is there no mention about this in any documents?

shame on you paloalto

Split tunnel on IPSEC is working but only if the networks are simpler enough. For examples if access routes are and this goes to full tunnel. Technical limitation probably will never fix.

Cisco IPSEC are stuck only to 8 hours and other IPSEC flavors (IPSEC on MacOSX) have even worst timeout.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!