# AWS Client VPN maximum VPN session duration timeout Maximum VPN session duration AWS Client VPN provides several options for the maximum VPN session duration, which is the maximum time allowed for a client connection to the Client VPN endpoint. You can configure a shorter maximum VPN session duration to help meet security and compliance requirements. By default, the maximum VPN session duration is 24 hours. Once you set the maximum session duration, you can control what happens with that session when that timeout is reached. The disconnect on session timeout option allows you to terminate the session or to automatically attempt a reconnection to the endpoint. Terminating a session allows you more control over endpoint security by enforcing maximum VPN session duration. If a session is set to terminate when the maximum time is reached, users will need to reconnect and provide their authentication credentials in order to re-establish the VPN connection. When disconnect on session timeout is set to automatically reconnect, and the maximum session time is reached, + a new session is automatically established in the case of cached user credentials (Active Directory) or certificate-based authentication (Mutual Authentication). To fully disconnect and not automatically reconnect, these users should manually disconnect. + a new session is not automatically established in the case of federated authentication (SAML). These users must authenticate again after session timeout expiration to re-establish the VPN connection. **Note** When the maximum VPN session duration value is decreased from its current value, any active VPN sessions that are connected to the endpoint for a time frame longer than the newly set duration are disconnected. Changing the disconnect on session timeout option applies the new setting to any currently open sessions. ## Configure the maximum VPN session during creation of an AWS Client VPN endpoint Configure the maximum VPN session during creation of an endpoint The duration of a VPN session is configured during the creation of a Client VPN endpoint. See [Create an AWS Client VPN endpoint](cvpn-working-endpoint-create.md) for the steps to create a Client VPN endpoint and set the maximum session duration. **Topics** + [Configure the maximum VPN session during creation of an endpoint](#configure-max-duration-endpoint-creation) + [View current maximum VPN session duration](display-max-duration.md) + [Modify the maximum VPN session duration](modify-max-timeout.md) # View AWS Client VPN current maximum VPN session duration View current maximum VPN session duration Use the following steps to view the current Client VPN maximum VPN session duration. **View current maximum VPN session duration for a Client VPN endpoint (console)** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Client VPN Endpoints**. 1. Select the Client VPN endpoint that you want to view. 1. Verify that the **Details** tab is selected. 1. View the current maximum VPN session duration next to **Session timeout hours** and if **Disconnect on timeout** is enabled or disabled. **View current maximum VPN session duration for a Client VPN endpoint (AWS CLI)** Use the [describe-client-vpn-endpoints](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-client-vpn-endpoints.html) command. # Modify the maximum AWS Client VPN session duration and timeout behavior Modify the maximum VPN session duration Use the following steps to modify an existing Client VPN maximum VPN session duration and change the disconnect on session timeout behavior. **Modify an existing maximum VPN session duration for a Client VPN endpoint (console)** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 1. In the navigation pane, choose **Client VPN endpoints**. 1. Select the Client VPN endpoint that you want to modify, choose **Actions**, and then choose **Modify Client VPN Endpoint**. 1. For **Session timeout hours**, choose the desired maximum VPN session duration time in hours. 1. For **Disconnect on session timeout**, choose if you want to disconnect a session when the maximum session timeout is reached. By default, this is turned off the first time you modify an endpoint. 1. Choose **Modify Client VPN endpoint**. **Modify an existing maximum VPN session duration for a Client VPN endpoint (AWS CLI)** Use the [modify-client-vpn-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-client-vpn-endpoint.html) command.