Re: [OSL | CCIE_Security] absolute and inactivity timers in ASA CTP

Thu, 19 Jul 2012 16:52:19 -0700 

Another finding here.
I just changed the timeouts to be like this, meaning that I have 5 minutes of 
inactivity and 1 hour of absolute timeouts.

timeout uauth 0:5:0 inactivity uauth 1:0:0 absolute

Then I authenticate and see the following on the ASA:

ASA1(config)# sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'telnetuser' at 10.0.0.100, authenticated
   access-list #ACSACL#-IP-CTP_ICMP_ACL-50074fcb (*)
   absolute   timeout: 1:00:00
   inactivity timeout: 0:05:00

My problem is that after 5 minutes of NOT sending any traffic that in the "aaa 
authentication match" ACL the uauth session is still active and will timeout 
after an hour

Eugene

From: Eugene Pefti
Sent: Thursday, July 19, 2012 4:03 PM
To: CCIE Security Maillist
Subject: absolute and inactivity timers in ASA CTP

Folks,
Anyone tried to play with an absolute and inactivity timers in ASA while it 
works as Cut through proxy ?
I'm having an interesting situation here.

The user authenticated on ASA via HTTPS and then started SSH session to a 
switch behind the firewall. I'm having this SSH session open and seeing the 
continuous output from "debug ip icmp" while pinging this switch. Then I logout 
the user and can't start a new SSH session to the same switch which is good and 
expected. But....
The first SSH session to the switch is still active and it doesn't timeout. I'm 
trying to adjust uauth timers on the firewall and see the following:

ASA1(config)# timeout uauth ?

configure mode commands/options:
  <0:0:0> - <1193:0:0>  Idle time after which an authentication will no longer
                        be cached and the user will need to re-authenticate on
                        their connection, default is 0:05:00. The default uauth
                        timer is absolute.

Does it mean that I can change the default timer from absolute to inactivity ? 
How would I make the previous session timeout?

Eugene


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to