network-extension keep-alive enable

Function

The network-extension keep-alive enable command enables the keeping alive function of the network extension.

The undo network-extension keep-alive enable command disables the keeping alive function of the network extension.

Format

network-extension keep-alive enable

undo network-extension keep-alive enable

Parameters

None

Views

Function service view

Default Level

2: Configuration level

Usage Guidelines

By default, the keeping alive function of the network extension is enabled.

Application Scenarios

After enabling the network extension function on the client, if you do not operate the client within a specified period or send any traffic to the FW, the network extension connection between the client and FW will be torn down due to SSL session timeout or aging of the HTTPS session from the client to the FW. You can use the network extension function only after re-logging in to or re-connecting the client to the FW. The keepalive function of network extension keeps the connection between the client and FW alive, preventing the preceding problem.

The default timeout period of SSL sessions is 5 minutes. You can run the ssl timeout command to adjust the timeout period. The default aging time of HTTPS sessions is 10 minutes. You can run the firewall session aging time command to adjust the aging time.

After an SSL session times out, the SSL VPN user is forced offline; the SSL connection between the client and FW is torn down; and the corresponding HTTPS session on the FW is aged. In this case, the client must re-log in for the use of the network extension function.

If the SSL session timeout period is longer than the HTTPS session aging time, after the HTTPS session from the client to the FW is aged, the SSL VPN user on the FW will not be forced offline. In this case, the client does not need to re-log in. It only needs to re-initiate a connection to the FW (for example, refreshing the SSL VPN login page) to use the network extension service.

Configuration Impact

After the keepalive function of network extension is enabled, the client periodically sends keepalive packets to the FW. After receiving a keepalive packet, the FW resets the counting on the SSL session timeout period and HTTPS session aging time. In this manner, the network extension connection between the client and FW will not be torn down due to session timeout or aging.

After the keepalive function of network extension is enabled, if a fault occurs on the network between the client and FW, the client does not receive any response after sending keepalive packets. After a while, the client takes either of the following actions (if the keepalive function of network extension is disabled, the client does not take any action):

If a network extension independent client is used, the client automatically re-initiates a connection.
If a browser is used for the network extension function, the browser displays a message, indicating the disconnection from the VPN gateway.

Follow-up Procedure

Run the network-extension keep-alive interval command to adjust the interval at which the client sends keepalive packets.

Example

# Enable the keeping alive function of the network extension.

<sysname> system-view
[sysname] v-gateway gateway
[sysname-gateway] service
[sysname-gateway-service] network-extension keep-alive enable