I recently had a TAC-case regarding a Cisco ASA 5510-firewall with Anyconnect-clients which had issues with VPN-clients not being able to connect due to “no address available”. It turned out that the “show vpn-sessiondb anyconnect”-command showed 50+ anyconnect-sessions that were over one month old! Like this:
sh vpn-sessiondb anyconnect Session Type: AnyConnect Username : aaaaa Index : 110 Assigned IP : zx.zx.zx.zx Public IP : qw.qw.qw.qw Protocol : Clientless DTLS-Tunnel License : AnyConnect Essentials Encryption : RC4 AES128 Hashing : SHA1 Bytes Tx : 40577016 Bytes Rx : 5480886 Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup Login Time : 10:43:24 CEST Fri Dec 16 2011 Duration : 34d 23h:20m:15s Inactivity : 32d 2h:00m:04s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Username : zzzzz Index : 152 Assigned IP : x.x.x.x Public IP : y.y.y.y Protocol : AnyConnect-Parent DTLS-Tunnel License : AnyConnect Essentials Encryption : AES128 Hashing : none SHA1 Bytes Tx : 13671510 Bytes Rx : 8421169 Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup Login Time : 04:39:57 CEST Tue Dec 20 2011 Duration : 31d 5h:23m:42s Inactivity : 31d 4h:14m:45s NAC Result : Unknown VLAN Mapping : N/A VLAN : none ... ... ...
The strange thing about this was that there was indeed an idle-timeout configured for DfltGrpPolicy:
group-policy DfltGrpPolicy attributes vpn-idle-timeout 60
The solution provided was to add ssl keepalives on the group-policy. And that had the desired effect. After adding the commands below, there were no more stale sessions:
group-policy DfltGrpPolicy attributes webvpn anyconnect ssl keepalive 300
Strange thing though. The idle-timeout should be enough to kill those sessions. I still havent got any explanation from TAC regarding why the ssl keepalive-command was needed. Anyone?
Leave a Reply