Quick note: Inactive Anyconnect sessions not removed.

I recently had a TAC-case regarding a Cisco ASA 5510-firewall with Anyconnect-clients which had issues with VPN-clients not being able to connect due to “no address available”. It turned out that the “show vpn-sessiondb anyconnect”-command showed 50+ anyconnect-sessions that were over one month old! Like this:

 

sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : aaaaa Index : 110
Assigned IP : zx.zx.zx.zx Public IP : qw.qw.qw.qw
Protocol : Clientless DTLS-Tunnel
License : AnyConnect Essentials
Encryption : RC4 AES128 Hashing : SHA1
Bytes Tx : 40577016 Bytes Rx : 5480886
Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:43:24 CEST Fri Dec 16 2011
Duration : 34d 23h:20m:15s
Inactivity : 32d 2h:00m:04s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Username : zzzzz Index : 152
Assigned IP : x.x.x.x Public IP : y.y.y.y
Protocol : AnyConnect-Parent DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AES128 Hashing : none SHA1
Bytes Tx : 13671510 Bytes Rx : 8421169
Group Policy : DfltGrpPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 04:39:57 CEST Tue Dec 20 2011
Duration : 31d 5h:23m:42s
Inactivity : 31d 4h:14m:45s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
...
...
...

The strange thing about this was that there was indeed an idle-timeout configured for DfltGrpPolicy:

group-policy DfltGrpPolicy attributes
vpn-idle-timeout 60

The solution provided was to add ssl keepalives on the group-policy. And that had the desired effect. After adding the commands below, there were no more stale sessions:

group-policy DfltGrpPolicy attributes
webvpn
anyconnect ssl keepalive 300

Strange thing though. The idle-timeout should be enough to kill those sessions. I still havent got any explanation from TAC regarding why the ssl keepalive-command was needed. Anyone?

Tagged with: ,
Posted in Uncategorized

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test