Solved: ASA 5540 kills SSH sessions through the firewall

Joshua Engels · ‎04-14-2009

I have a Unix user that SSH's from the inside network to a Server in the DMZ network. If he leaves it idle the SSH session is killed by the firewall. Is there a way to tell the ASA not to kill SSH sessions through the firewall that are idle?

cisco24x7 · ‎04-14-2009

There are two solutions to this:

1- increase the tcp idle connection on the ASA. The command is "timeout xxxx" or something like that. Check the documentation.

2- enable ssh keep-alive in SSH server itself. In the /etc/ssh/sshd_config configuration of the SSH server, uncomment this line:

#KeepAlive yes

then restart the ssh server. With option #2, you do not have to involve the Firewall guy.

Easy right?

View solution in original post

cisco24x7 · ‎04-14-2009

There are two solutions to this:

1- increase the tcp idle connection on the ASA. The command is "timeout xxxx" or something like that. Check the documentation.

2- enable ssh keep-alive in SSH server itself. In the /etc/ssh/sshd_config configuration of the SSH server, uncomment this line:

#KeepAlive yes

then restart the ssh server. With option #2, you do not have to involve the Firewall guy.

Easy right?

Joshua Engels · ‎04-15-2009

Okay, option 1 worked for us. Increased the "timeout conn 01:00:00" to 2 hours and it worked. That is what I was looking for so I appreciate the response.

Thanks!

yuri_slobodyanyuk · ‎04-14-2009

Every SSH client has option to enable keep-alive, this will send nop command every so seconds and keep the connection alive.

In Linux ssh client machine put it here:

/etc/ssh/ssh_config

ServerAliveInterval

In Putty (Windows) you go to

Connection -> Sending of null packets to keep session alive -> put value in seconds