Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed
every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.
Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)?
Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?
If you're sure you want to disable the timeout, suggestion 2 is the recommended method because it will only affect SSH traffic and not every TCP connection through the firewall (which will eventually consume all resources if conns don't gracefully close). To achieve an unlimited timeout, you set the idle timer to 0:
set connection timeout idle 0
Another feature that you may want to look into, though, is dead connection detection ('set connection timeout dcd'). This is a better method than an infinite timeout because only connections that still have an active socket on both endpoints will be kept open by the firewall. You can read about this feature here:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...