How do you disconnect a vpn user after a period of inactivity?

I'm new to Cisco routers and using the ASDM interface.
VPN users are connecting fine but I need to find a way to disconnect them automatically after a certain number of minutes.

I've adjusted
Group Policies > AnyConnectClientPolicy > Advanced > SSL VPN Client > Keepalive setting to 20 secs

But that didn't seem to trigger any event for a test user.

Thoughts on what I'm doing wrong?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin EllenbeckerIT DirectorCommented:
The keep alive is how often a keep alive will be sent so it will never time out.  You want to disable keep alives and then I think the Cisco default is to disconnect after 30 minutes of inactivity.
Justin EllenbeckerIT DirectorCommented:
In ASDM you should be able to set the Maximum Connected time and Idle Timeout on the General Tab of the Group Policy you are working with.  It may be set to inherit, from there you can specify them if you so choose.
ShawnGrayAuthor Commented:
Some progress.  The "max connected time" works but thats a little abrupt for users.

The "Idle Timeout" doesn't seem to do what I expect.  I set it for 1 minute, made my connection and did nothing for 2½ minutes but it maintained the connection.  Not certain how it defines "Idle".
Justin EllenbeckerIT DirectorCommented:
Idle means no traffic at all, turn your keep alive up to over about 10 seconds over the idle timer.  Sometimes there is no way to though to stop a machine from pinging or sending packets that are supposed to be encrypted and the ACL picks up.  We have our VPN set for 4 hour max connection all of our users were made aware of this and since they just RDP to their desktops in the office there is no real concern with the connection dropping.  You would almost have to wireshark the VPN connection while it is up and see what it is sending across, like I said it only takes one packet for it to not be considered "Idle"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ShawnGrayAuthor Commented:
Those are good points.  Thank you for the quick thorough reply.  Take care.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.