Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Disabling timeouts which affect SSH tunnels

Hi,

Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed

every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.

Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)?

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?

class CLASS_MAP_SSH

   set connection  random-sequence-number disable

   set connection timeout idle  48:00:00 reset

   set connection decrement-ttl

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Disabling timeouts which affect SSH tunnels

Hello,

It is not a built-in class-map so you'd have to define it. The full config would look like this:

class-map CLASS_MAP_SSH

   match port tcp eq 22

policy-map global_policy

   class CLASS_MAP_SSH

       set connection timeout...

service-policy global_policy global

or

access-list ssh permit tcp any any eq 22

class-map CLASS_MAP_SSH

   match access-list ssh

policy-map global_policy

   class CLASS_MAP_SSH

       set connection timeout...

service-policy global_policy global

-Mike

3 REPLIES
Cisco Employee

Disabling timeouts which affect SSH tunnels

Hello,

If you're sure you want to disable the timeout, suggestion 2 is the recommended method because it will only affect SSH traffic and not every TCP connection through the firewall (which will eventually consume all resources if conns don't gracefully close). To achieve an unlimited timeout, you set the idle timer to 0:

set connection timeout idle 0

Another feature that you may want to look into, though, is dead connection detection ('set connection timeout dcd'). This is a better method than an infinite timeout because only connections that still have an active socket on both endpoints will be kept open by the firewall. You can read about this feature here:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_connlimits.html#wp1080752

-Mike

New Member

Disabling timeouts which affect SSH tunnels

Hey Mike,

Thank you for the answer. I do however wonder if "CLASS_MAP_SSH" is a known value to the ASA (ie it knows to match tcp port 22), or must I within the class match ssh traffic (by matching a ACL)?

Thanks,

Cisco Employee

Disabling timeouts which affect SSH tunnels

Hello,

It is not a built-in class-map so you'd have to define it. The full config would look like this:

class-map CLASS_MAP_SSH

   match port tcp eq 22

policy-map global_policy

   class CLASS_MAP_SSH

       set connection timeout...

service-policy global_policy global

or

access-list ssh permit tcp any any eq 22

class-map CLASS_MAP_SSH

   match access-list ssh

policy-map global_policy

   class CLASS_MAP_SSH

       set connection timeout...

service-policy global_policy global

-Mike

1067
Views
0
Helpful
3
Replies