Description
This article discusses about the default settings on SSL VPN and the consequences of configuration changes under SSL VPN settings in a production environment.
Solution
By default, a SSL VPN connection logouts after 8 hours.
# config vpn ssl settings
set idle-timeout 300
The idle-timeout is period of time in seconds that the SSL VPN will wait before timing out.
Default value is 300 seconds (5 minutes). Range: <0> to <259200>.
set auth-timeout 28800
The auth-timeout is period of time in seconds that the SSL VPN will wait before re-authentication is enforced.
Default value is 28800 seconds (8 hours). Range: <0> to <259200>
A value of 0 indicates no timeout.
Changes as above or changing tunnel/web mode will not impact the environment.
However, be aware:
Once a SSL VPN client is connected, a change to firewall address objects or IP pools under SSL VPN settings in a production environment will tear down all the active SSL VPN connections regardless of the above timeout.
This is an expected behavior and the following log will be displayed.
CLI DEBUG:
[260:root:0][257:root:0]Config change causes all session to be closed in vdom ‘root’
