ASA 5540 kills SSH sessions through the firewall

Answered Question
Apr 14th, 2009
User Badges:

I have a Unix user that SSH's from the inside network to a Server in the DMZ network. If he leaves it idle the SSH session is killed by the firewall. Is there a way to tell the ASA not to kill SSH sessions through the firewall that are idle?

Correct Answer by cisco24x7 about 7 years 11 months ago

There are two solutions to this:


1- increase the tcp idle connection on the ASA. The command is "timeout xxxx" or something like that. Check the documentation.


2- enable ssh keep-alive in SSH server itself. In the /etc/ssh/sshd_config configuration of the SSH server, uncomment this line:


#KeepAlive yes


then restart the ssh server. With option #2, you do not have to involve the Firewall guy.


Easy right?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
cisco24x7 Tue, 04/14/2009 - 07:03
User Badges:
  • Silver, 250 points or more

There are two solutions to this:


1- increase the tcp idle connection on the ASA. The command is "timeout xxxx" or something like that. Check the documentation.


2- enable ssh keep-alive in SSH server itself. In the /etc/ssh/sshd_config configuration of the SSH server, uncomment this line:


#KeepAlive yes


then restart the ssh server. With option #2, you do not have to involve the Firewall guy.


Easy right?


Joshua Engels Wed, 04/15/2009 - 04:47
User Badges:

Okay, option 1 worked for us. Increased the "timeout conn 01:00:00" to 2 hours and it worked. That is what I was looking for so I appreciate the response.


Thanks!

yuri_slobodyanyuk Tue, 04/14/2009 - 22:08
User Badges:

Every SSH client has option to enable keep-alive, this will send nop command every so seconds and keep the connection alive.

In Linux ssh client machine put it here:

/etc/ssh/ssh_config

ServerAliveInterval


In Putty (Windows) you go to

Connection -> Sending of null packets to keep session alive -> put value in seconds

Actions

This Discussion