1-52
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Connection Profiles, Group Policies, and Users
  Group Policies
hostname(config-group-policy)# 
Step 2 Configure the the time at which a session-timeout alert message is displayed to the user using the 
vpn-session-timeout alert-interval {minutes | none} command. This alert message tells users how 
many minutes left they have until their VPN session is automatically disconnected. 
The following example shows how to set the 
vpn-session-timeout alert-interval so that users will 
be notified 20 minutes before their VPN session is disconnected. You can specify a range of 1-30 
minutes.
hostname(config-webvpn)# vpn-session-timeout alert-interval 20
The none parameter indicates that users will not receive an alert. 
Use the no form of the command to indicate that the VPN session timeout alert-interval attribute will be 
inherited from the Default Group Policy:
no vpn-session-timeout alert-interval
Specifying a VPN Session Idle Timeout for a Group Policy
Step 1 Configure the user timeout period by entering the vpn-idle-timeout command in group-policy 
configuration mode or in username configuration mode:
hostname(config-group-policy)# vpn-idle-timeout {minutes | none}
hostname(config-group-policy)# 
AnyConnect (SSL IPsec/IKEv2): Use the global WebVPN default-idle-timeout value (seconds) from the 
command: hostname(config-webvpn)# default-idle-timeout 
The range for this value in the WebVPN default-idle-timeout command is 60-86400 seconds; the 
default Global WebVPN Idle timeout in seconds -- default is 1800 seconds (30 min). 
Note A non-zero idle timeout value is required by ASA for all AnyConnect connections. 
For a WebVPN user, the default-idle-timeout value is enforced only if vpn-idle-timeout none is set in 
the group policy/username attribute.
Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable timeout and allow for an unlimited idle 
period.
The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named 
FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-idle-timeout 15
hostname(config-group-policy)# 
Step 2 Configure the the time at which an idle-timeout alert message is displayed to the user using the 
vpn-idle-timeout alert-interval {minutes | none}
 command. This alert message tells users how many 
minutes left they have until their VPN session is disconnected due to inactivity.
The following example shows how to set vpn-idle-timeout alert-interval so that users will be notified 20 
minutes before their VPN session is disconnected due to inactivity. You can specify a range of 1-30 
minutes.
hostname(config-webvpn)# vpn-idle-timeout alert-interval 20
The none parameter indicates that users will not receive an alert.