set X-CSTP-{Lease-Duration,Session-Timeout,Session-Timeout-Remaining} headers as Cisco servers appear to set them
Old Cisco docs which don't appear to accurately describe the behavior of
Session-Timeout or Lease-Duration, but do identify their maximum values
as 1209600 seconds (14 days):
https://www.cisco.com/assets/sol/sb/RV345P_Emulators/RV345P_Emulator_v1-0-01-17/help/help/t_SSL_VPN.html
Examples of newly-authenticated sessions from Cisco servers:
-
openconnect#43 (comment 177677716):
Session-TimeoutandSession-Timeout-Remaininghave the same value. -
https://www.mail-archive.com/openconnect-devel@lists.infradead.org/msg00968.html:
Session-TimeoutandSession-Timeout-Remainingarenone, howeverLease-Durationis set, with the maximum value.I don't understand why
Session-Timeoutis sometimes unset, whileLease-Durationis set. It's not necessary to reproduce this inconsistency in ocserv, though the OpenConnect client should interpretLease-Durationas a fallback ifSession-Timeoutisnoneor missing. (See openconnect!156 (merged).)
My own testing of reconnected sessions (on a newer Cisco server supporting DTLS 1.2) shows that Session-Timeout-Remaining will have a value less than Session-Timeout, such that the expiration timestamp remains constant from one reconnection to the next.