I have one problematic user (luckily it's just one for now). His biggest issue is that he can't reconnect to the sign-in page without clearing all his temp files.
What I think is happening is he's not disconnecting correctly or his cookies are not being deleted on sign-off. We have the start page on login changed to our external website because the NC Start button was confusing the users (NC starts on login). So after he logs off, if he tries to log ininstead of the sign-in page he gets the external website.
To resolve this and to stave off future problems I flipped on the Cache Cleaner. I'm really only concerned with the users having no Juniper files that could screw up the connection process so on start-up and shut down are really the only times I need it running but I want to automate it to make it easier for the users.
Currently, it's set to realm level enforcement. The Cleaner Frequency is 60 minutes and Status Update is 60. Login activity timeout is also set to 60. The idle timeout is 120 minutes and the session length is 720 minutes. Peristent sessions are also enabled.
Now the problem is this user has been getting timeouts from the Cache Cleaner about every hour (System process detected a Cache Cleaner time out on host blah blah blah) since I enabled Cache Cleaner. I can't see where the settings are crossing. This is one of our power users (he thinks the session timeout should be removed completely) and is always working so he's not hitting the idle limit as far as I can tell.
Does anyone have any suggestions or thoughts on how to configure this or why it's happening?
You can remove the NC start button from the bookmarks page by navigating to Users-> User Roles-> [rolename]-> General-> UI Options, and check Client Application Sessions under User toolbar.
I don't really have a suggestion for your timeout issue, I have mine set to the following:
cachecleaner frequency: 15min
status update frequency: 15min
client-side process inactivity timeout: 60min
hostchecker every 13min
client-side process inactifity timeout: 20min
My role timeout values are:
idle timeout: 30min
max length: 1439min
Idle timeout application activity Disabled (count application traffic)
Originally my max session length wasn't 1day minus 1minute, but every time i raised it: 4hrs to 6hrs to 10hrs, i would then bump into it again, so i just pushed it out to 1day minus 1minute...
Under normal curcumstances (only a single active NIC with no lease expiriation issues, a single NC tunnel, and use of well-behaved applications), I have not had any issues with NC timeouts occurring when I've been in the middle of an active ssh connection via the NC tunnel.
However, I have found that If you try to confuse NC by opening the Cisco VPN client and connect via Safari to the same IVE but a different realm, use a combination of Terminal Services' bookmarks and straight RDP connections, then I HAVE seen the activity monitor ignore any and all traffic across the NC tunnel: both app traffic and mouse/keyboard traffic, and the only way to keep the connection open is to click on Continue every time the idle timer expires. Once this happens, the least invasive fix I've found is to log out of the local client pc, terminating the NC connection.
One more thing you can do for that power user is have them use the Juniper Network Connect client, instead of [favorite browser] to login. This will remove a piece (the browser) of the timeout puzzle.
Thanks for the info Stine.
Luckily the problem seems to have disappeared with some changes in our DNS suffixes. I'd still like to use the Cache Cleaner on a regular basis but I'll have to setup a test realm. The information you gave is a big help though. With it I hope I can sort out a decent test realm and get things rolling.
So after months of other projects I've finally gotten back to the VPN. We've started implementing the Cache Cleaner on our realms. I have one realm live with the changes and another 2 ready to go next week. I had a group of testers using the my test realm with no issues. Now with the one realm live and more people on it, I'm starting to see some disconnects. I'm wondering if anyone would double check my numbers to make sure everything is right.
What we are aiming for are the timeout settings for the Role. What I want the Cache Cleaner to do is to give the user a clean slate on startup to the IVE. I've been getting reports that users are getting kicked off after an hour and not the 2 hour idle limit. And sometimes in the middle of things.
Idle Timeout - 120 min
Max Session - 720 min
Reminder - 30 min
Idle timeout application activity - disabled
Cache Cleaner (under Endpoint Security)
Cleaner Frequency - 15 min
Status Update - 60 min
Client side process - 60 min
Cache Cleaner - Load and enforce
Any help would be greatly appreciated.
Does anyone have any insight to this? I can go back and say because of the new Cache Cleaner the timeouts have now changed, but managment (and the users) aren't going to like it.
In a perfect world, I'd like to have a 2 hour idle and 12 hour session limit and have the Cache Cleaner only run at login and log off. Is that even possible?