×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remote SSH connection dropping

Unanswered Question
Sep 30th, 2006
User Badges:

Hello everyone,

I posted this in another forum but thought it would better fit here. I've got a Cisco 1721 that I've configured to allow external SSH connections into the router from the Internet on port 2922(then translated to port 22).


For some reason, the SSH connection randomly gets dropped, most of the time in the middle of typing a command. I don't think it's related to the length of time because I could not type anything (or type very little) and stay connected for a while. Once I start typing a bunch of commands, it will soon disconnect me. If I try doing a "show tech" I'll immediatly get disconnected (even after connecting 5 seconds before). If I try from the LAN side, it works fine. Would this have something to do with the firewall or IDS?


I already tried "crypto key zeroize rsa" to regen my public key but that didn't help.


Any kind of help would be appreciated.


Thanks,

Brandon



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Sat, 09/30/2006 - 23:59
User Badges:
  • Red, 2250 points or more

Please try what happens when you remove the tcp keepalives:

no service tcp-keepalives-in

no service tcp-keepalives-out


Also, temporarily switch off the firewall and check what happens. I also have some comment about acl 102 which is probably off topic but will be helpful to improve the performance.

First of all, the list is too long. You can shorten it in the following ways:

ip route 10.0.0.0 255.0.0.0 null0 and so on

use ip routes to drop private ip source traffic instead of an acl. This costs less performance.

You should also put the lines that allow interesting traffic first in the config, i.e.tcp before icmp. This prevents that interesting traffic is subjected to many checks.


Regards,

Leo

globalnettech Sun, 10/01/2006 - 06:45
User Badges:
  • Silver, 250 points or more

Hello Brandon,


what is sitting between your router and the outside (you were talking about a firewall/IDS) ? Try and configure:


crypto isakmp keepalive 10


on your router (in global configuration mode), and see if that makes a difference...


Regards,


GNT

BrandonMolnar Sun, 10/01/2006 - 07:53
User Badges:

Turns out it was the static NAT translations I had that was screwing up the router. When I connected directly to port 22, it worked fine.


The firewall/IDS I have running is on the 1721 router itself.

BrandonMolnar Sun, 10/01/2006 - 09:49
User Badges:

Thanks for the tips. I'll move the interesting traffic lines closer to the top.


I figured the ACL was looked at before the routing statements, so it would be faster that way.

Actions

This Discussion