ASA 5540 kills SSH sessions through the firewall

Answered Question
Apr 14th, 2009

I have a Unix user that SSH's from the inside network to a Server in the DMZ network. If he leaves it idle the SSH session is killed by the firewall. Is there a way to tell the ASA not to kill SSH sessions through the firewall that are idle?

I have this problem too.
0 votes
Correct Answer by cisco24x7 about 7 years 7 months ago

There are two solutions to this:

1- increase the tcp idle connection on the ASA. The command is "timeout xxxx" or something like that. Check the documentation.

2- enable ssh keep-alive in SSH server itself. In the /etc/ssh/sshd_config configuration of the SSH server, uncomment this line:

#KeepAlive yes

then restart the ssh server. With option #2, you do not have to involve the Firewall guy.

Easy right?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
cisco24x7 Tue, 04/14/2009 - 07:03

There are two solutions to this:

1- increase the tcp idle connection on the ASA. The command is "timeout xxxx" or something like that. Check the documentation.

2- enable ssh keep-alive in SSH server itself. In the /etc/ssh/sshd_config configuration of the SSH server, uncomment this line:

#KeepAlive yes

then restart the ssh server. With option #2, you do not have to involve the Firewall guy.

Easy right?

Joshua Engels Wed, 04/15/2009 - 04:47

Okay, option 1 worked for us. Increased the "timeout conn 01:00:00" to 2 hours and it worked. That is what I was looking for so I appreciate the response.

Thanks!

yuri_slobodyanyuk Tue, 04/14/2009 - 22:08

Every SSH client has option to enable keep-alive, this will send nop command every so seconds and keep the connection alive.

In Linux ssh client machine put it here:

/etc/ssh/ssh_config

ServerAliveInterval

In Putty (Windows) you go to

Connection -> Sending of null packets to keep session alive -> put value in seconds

Actions

This Discussion