Hi,

I have setup the dynamic vpn , customer wants  Junos Pulse should disconnect on 5 min idle time.

I have configure the following command, but seems not working

 set security ipsec vpn DYNAMIC-VPN ike idle-time 300

Model: srx210he2
JUNOS Software Release [12.1X44-D20.3]

Any advise or work around

Regards

Mass

Hi Mass,

You can use client- idle-timeout under access profile configuration to drop the connection of 5 minutes

root@Site-A# show access
profile test {
    session-options {
        client-idle-timeout 10;
    }
}

set access profile test session-options client-idle-timeout 5

Client-idle-timeout : Time in minutes of idleness after which access is denied

Regards,
rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi Mass,

You can use idle timeout under access profile configuration to drop the connection of 5 minutes

root@Site-A# show access
profile test {
    session-options {
        client-idle-timeout 10;
    }
}

set access profile test session-options client-idle-timeout 10

Client-idle-timeout : Time in minutes of idleness after which access is denied

++++++++++++++++++++++++++++++++++++++++++++++++++++

idle timeout under ipsec settings is for SRX to remove the IKE cookie.

IKE Cookie is removed a idle-timeout setting (of 5 minutes) is defined.

It is not for client idletimeout. it is for SRX to remove vpn related information for that user once the user disconnects the vpn.

Regards,
rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi,

I have tried all these settings , JUNOS pulse still remain connected .

Any other work around.

set system services web-management session idle-timeout 5
set security ipsec vpn DYNAMIC-VPN ike idle-time 300
set access profile RADIUS-SERVER session-options client-idle-timeout 10

By default, the VPN On Demand has an idle timeout value of 120 seconds.  However, when a VPN is launched using Junos Pulse the idle timeout value and the session timeout values are determined by the roles that are assigned to the users.

Hi Mass,

Are you using Radius authentication or Local Authentication for dynamic vpn users.

 client-idle-timeout is the only option for disconnecting the vpn client connection.

May be there are traffic flow between the client and protected resources even though customer is not using any application manually.

ask the customer to be idle for sometime but check the session information on SRX for the virtual ip address.

show security flow session source-prefix virtual-adapter-ip address.

set access profile RADIUS-SERVER session-options client-idle-timeout 10

Regards,
rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi,

I am using Radius authentication,

I am testing my self and see no session for virtual IP assign to my VPN connection.

Customer really want me to set idle timeout to 5 min.

I was trying to do below , giving error

set groups junos-defaults applications application junos-ike inactivity-timeout 300
error: could not set inactivity-timeout

I am stuck and not sure if this will be possible to set idle timeout .

Any further advise

Regards

Mass

Hi Mass.

Delete security ipsec vpn DYNAMIC-VPN ike idle-time 300 and then test it.

Regards,

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi rparthi,

I tired your suggestion , it did not help

Still Pulse stay connected

Hi Mass,

May I know if there is any specific reason for this requirement?

idle-time configuration is to delete a security association after the specified idle time. So its equivalent to disconnecting the VPN from pulse.

Please confirm if there is any other requirement.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi Suraj,

For Security reason , customer wants  Juno Pulse should  disconnect after 5min if there is no activity.

Incase a user leave PC open and Pulse connected, which  will give access to thier producation servers in Data Center.

Hi Mass,

No, if the pulse connection is idle for 5 minutes , SA is deleted on SRX side and even if the pulse status says "connected" VPN access wont work. User is expected to complete the xauth again.

You can ask customer to test this behavior after configuring the idle timeout.

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

hi ,

I tired for my account testing purpose ,SA not deleted on SRX side

SRX> show security ipsec security-associations detail | match 172.19.21.1
Dec 09 16:22:30
  Remote Identity: ipv4(any:0,[0..3]=172.19.21.1)

SRX> show log vpntrace | match masroor
Dec 09 16:23:27
Dec  9 16:21:40 authd_auth_aaa_msg_create aaa-key: username:(mass) profile:(RADIUS-SERVER)
Dec  9 16:21:40  Username:mass, Session-Id:9270378912016513467 Access-profile:RADIUS-SERVER Multi-Acct-Session-Id:0
Dec  9 16:21:40 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(RADIUS-SERVER), username=(mass
Dec  9 16:21:40 authd_radius_build_basic_auth_request: got params  profile=RADIUS-SERVER, username=mass
Dec  9 16:21:41 Framework: Updating session timeout (599999940) in response for user 'mass' from profile 'RADIUS-SERVER'
Dec  9 16:21:41 Framework: Updating idle timeout (10) in response for user 'mass' from profile 'RADIUS-SERVER'
Dec  9 16:21:57 authd_auth_aaa_msg_create aaa-key: username:(mass) profile:(RADIUS-SERVER)
Dec  9 16:21:57  Username:mass, Session-Id:9270378916311600643 Access-profile:RADIUS-SERVER Multi-Acct-Session-Id:0
Dec  9 16:21:57 authd_auth_modules_pre_feed_sanity: message passed sanity test profile=(RADIUS-SERVER), username=(mass
Dec  9 16:21:57 authd_radius_build_basic_auth_request: got params  profile=RADIUS-SERVER, username=mass
Dec  9 16:21:58 Framework: Updating session timeout (599999940) in response for user 'mass' from profile 'RADIUS-SERVER'
Dec  9 16:21:58 Framework: Updating idle timeout (10) in response for user 'mass' from profile 'RADIUS-SERVER'

SRX> show security ipsec security-associations detail | match 172.19.21.1    
Dec 09 16:28:06
  Remote Identity: ipv4(any:0,[0..3]=172.19.21.1)

SRX> show security ipsec security-associations detail | match 172.19.21.1    
Dec 09 16:29:15
  Remote Identity: ipv4(any:0,[0..3]=172.19.21.1)

SRX> show security ipsec security-associations detail | match 172.19.21.1    
Dec 09 16:30:49
  Remote Identity: ipv4(any:0,[0..3]=172.19.21.1)

SRX>

Please try this command:

"set access profile test session-options client-session-timeout 5"

It should work.

client-session-timeout

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 8.5.

Description

(MX Series and SRX Series devices) Specify the amount of time after which user sessions are terminated, regardless of user activity (also known as a forced or hard authentication timeout).