Changing VTY Timeouts

Problem

You want to prevent your Telnet session from timing out.

Solution

To prevent Telnet (or SSH) sessions from timing out, use the following command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line vty 0 4 Router1(config-line)#exec-timeout 0 0 Router1(config-line)#exit Router1(config)#end Router1#

You can use this same command to simply increase the EXEC timeout to a large value, such as three hours, as follows:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line vty 0 4 Router1(config-line)#exec-timeout 240 0 Router1(config-line)#exit Router1(config)#end Router1#

Discussion

By default, the router will terminate an EXEC session after 10 minutes of inactivity. Often administrators find that 10 minute inactivity timers are a nuisance and dislike having to log in to a router several times throughout the day. So Cisco provides a way to modify or disable the inactivity timer. It is important to note that this affects only timeouts due to inactivity. In Recipe 3.11, we discuss a way to disconnect sessions after a specified length of time whether they are active or not.

The exec-timeout command has two arguments:

Router1(config-line)#exec-timeout 240 0

The first argument is the length of time in minutes, and the second argument is seconds. This allows you to specify a timeout period as short as one second or as long as 35,791 minutes, which is over 24 days.

The first example shows how to disable the inactivity timer altogether, by setting the timeout values to zero. There are a few drawbacks to disabling the EXEC timeout that you should bear in mind. First, since the router provides only five VTYs for remote access by default, forgotten sessions can easily block available VTYs until service is completely blocked. Second, sessions that do not terminate correctly, for example when a workstation crashes, can cause VTY sessions to remain active indefinitely.

To prevent dead sessions from needlessly occupying VTY ports, use the service tcp-keepalives configuration command:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#service tcp-keepalives-in Router1(config)#end Router1#

TCP keepalives will ensure that the far end is up and active; otherwise, it will terminate the session regardless of the inactivity timer. If you choose to disable the inactivity timer, then we strongly recommend using the TCP keepalive command.

You can see your current session's inactivity timer with the show terminal EXEC command:

Router1#show terminal Line 68, Location: "", Type: "VT100" Length: 43 lines, Width: 95 columns Baud rate (TX/RX) is 9600/9600 Status: PSI Enabled, Ready, Active, No Exit Banner, Automore On Capabilities: none Modem state: Ready Group codes: 0 Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch never never none not set

The second example sets the inactivity timer to three hours. This tends to be safer than completely disabling the timer because it will eventually terminate all sessions. However, please check your local security policies to ensure that your inactivity timers are set within your organizational guidelines. Many organizations mandate a 15-minute inactivity timer for all types of electronic access to ensure that you do not leave authenticated sessions available to intruders. The NSA recommends an inactivity timer of no more than five minutes.

See Also

Recipe 3.11; Recipe 3.14