Date: Thu, 03 Jul 2003 00:18:02 -0700 From: "Philip J. Koenig" <pjklist@ekahuna.com> To: freebsd-questions@freebsd.org Subject: Re: ssh keepalives Message-ID: <20030703071803206.AAA1059@empty1.ekahuna.com@dyn205.ekahuna.com> In-Reply-To: <20030702145202.1833A37B401@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Wed, 2 Jul 2003 15:04:51 +0200 > From: Christian Stigen Larsen <csl@sublevel3.org> > > Quoting Steve Coile (scoile@nandomedia.com): > | On Tue, 1 Jul 2003, Philip J. Koenig wrote: > | > I'm having a problem with premature termination of ssh sessions [...] > | > | Is this a common problem with firewalls? We suffer from this problem > | here, also, and I've thought it must be a misconfiguration with the > | firewall or elsewhere in the netwrok. But since you mentioend it, > | I'm rethinking my assessment. > > As Michal F. Hanula, it might be due to the firewall dropping idle TCP > connections. I'm quite sure this is the case, and I know this is a characteristic of the stateful firewalls on both sides. (which I administer) One of those firewalls is quite flexible about protocol state timeouts, I can set this on a service-by-service basis. (ie I could increase it for SSH and no other service) Unfortunately the firewall on the other side isn't so accommodating. It has a single timeout setting that affects all traffic that traverses the firewall, and I'd rather not increase that too high. > At work I use PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) for > my outbound ssh sessions, and it supports a useful option: > > "Sending of null packets to keep session active" > > Settings this to, say, 60 seconds effectively prevents my sessions from being > cut off. Unfortunately I haven't found any similar feature in the OpenSSH > clients. Do they support such a feature? I've used that feature with PuTTY and it's handy. As far as I can tell there is no equivalent in OpenSSH. The "KeepAlive" feature appears to be used primarily to detect if a connection has died due to a broken link. (probably the thing that allows the client to report "connection reset by peer" right away without sitting there for a hour before figuring it out) -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030703071803206.AAA1059>