Changing VTY Timeouts

Problem

You want to prevent your Telnet session from timing out.

Solution

To prevent Telnet (or SSH) sessions from timing out, use the following command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line vty 0 4
Router1(config-line)#exec-timeout 0 0
Router1(config-line)#exit
Router1(config)#end
Router1#

You can use this same command to simply increase the EXEC timeout to a large value, such as three hours, as follows:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line vty 0 4
Router1(config-line)#exec-timeout 240 0
Router1(config-line)#exit
Router1(config)#end
Router1#

 

Discussion

By default, the router will terminate an EXEC session after 10 minutes of inactivity. Often administrators find that 10 minute inactivity timers are a nuisance and dislike having to log in to a router several times throughout the day. So Cisco provides a way to modify or disable the inactivity timer. It is important to note that this affects only timeouts due to inactivity. In Recipe 3.11, we discuss a way to disconnect sessions after a specified length of time whether they are active or not.

The exec-timeout command has two arguments:

Router1(config-line)#exec-timeout 240 0

The first argument is the length of time in minutes, and the second argument is seconds. This allows you to specify a timeout period as short as one second or as long as 35,791 minutes, which is over 24 days.

The first example shows how to disable the inactivity timer altogether, by setting the timeout values to zero. There are a few drawbacks to disabling the EXEC timeout that you should bear in mind. First, since the router provides only five VTYs for remote access by default, forgotten sessions can easily block available VTYs until service is completely blocked. Second, sessions that do not terminate correctly, for example when a workstation crashes, can cause VTY sessions to remain active indefinitely.

To prevent dead sessions from needlessly occupying VTY ports, use the service tcp-keepalives configuration command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service tcp-keepalives-in
Router1(config)#end
Router1#

TCP keepalives will ensure that the far end is up and active; otherwise, it will terminate the session regardless of the inactivity timer. If you choose to disable the inactivity timer, then we strongly recommend using the TCP keepalive command.

You can see your current session's inactivity timer with the show terminal EXEC command:

Router1#show terminal 
Line 68, Location: "", Type: "VT100"
Length: 43 lines, Width: 95 columns
Baud rate (TX/RX) is 9600/9600
Status: PSI Enabled, Ready, Active, No Exit Banner, Automore On
Capabilities: none
Modem state: Ready
Group codes: 0
Special Chars: Escape Hold Stop Start Disconnect Activation
 ^^x none - - none 
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
 never never none not set

The second example sets the inactivity timer to three hours. This tends to be safer than completely disabling the timer because it will eventually terminate all sessions. However, please check your local security policies to ensure that your inactivity timers are set within your organizational guidelines. Many organizations mandate a 15-minute inactivity timer for all types of electronic access to ensure that you do not leave authenticated sessions available to intruders. The NSA recommends an inactivity timer of no more than five minutes.

See Also

Recipe 3.11; Recipe 3.14





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net