Cisco ASA Series Cli Configuration Manual page 1685

Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Stale AnyConnect, IPsec Client, or Clientless sessions (sessions that are terminated abnormally) might
remain in the session database, even though a "new" session has been established with the same
username.
If the value of vpn-simultaneous-logins is 1, and the same user logs in again after an abnormal
termination, then the stale session is removed from the database and the new session is established. If,
however, the existing session is still an active connection and the same user logs in again, perhaps from
another PC, the first session is logged off and removed from the database, and the new session is
established.
If the number of simultaneous logins is a value greater than 1, then, when you have reached that
maximum number and try to log in again, the session with the longest idle time is logged off. If all
current sessions have been idle an equally long time, then the oldest session is logged off. This action
frees up a session and allows the new login.
Restricting Access to a Specific Connection Profile
Specify whether to restrict remote users to access only through the connection profile, using the
group-lock command in group-policy configuration mode.
hostname(config-group-policy)# group-lock {value tunnel-grp-name | none}
hostname(config-group-policy)# no group-lock
hostname(config-group-policy)#
The tunnel-grp-name variable specifies the name of an existing connection profile that the ASA requires
for the user to connect. Group-lock restricts users by checking if the group configured in the VPN client
is the same as the connection profile to which the user is assigned. If it is not, the ASA prevents the user
from connecting. If you do not configure group-lock, the ASA authenticates users without regard to the
assigned group. Group locking is disabled by default.
To remove the group-lock attribute from the running configuration, enter the no form of this command.
This option allows inheritance of a value from another group policy.
To disable group-lock, enter the group-lock command with the none keyword. The none keyword sets
group-lock to a null value, thereby allowing no group-lock restriction. It also prevents inheriting a
group-lock value from a default or specified group policy
Specifying the Maximum VPN Connection Time in a Group Policy
Step 1
Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command
in group-policy configuration mode or in username configuration mode.
hostname(config-group-policy)# vpn-session-timeout {minutes | none}
hostname(config-group-policy)#
The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value.
At the end of this period of time, the ASA terminates the connection.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the
none keyword instead of specifying a number of minutes with this command. Specifying the none
keyword permits an unlimited session timeout period and sets session timeout with a null value, which
disallows a session timeout.
The following example shows how to set a VPN session timeout of 180 minutes for the group policy
named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-session-timeout 180
Cisco ASA Series CLI Configuration Guide
Group Policies
1-51