Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1242
Views
0
Helpful
4
Replies

Remote SSH connection dropping

BrandonMolnar
Level 1
Level 1

‎09-30-2006 03:41 PM

Hello everyone,

I posted this in another forum but thought it would better fit here. I've got a Cisco 1721 that I've configured to allow external SSH connections into the router from the Internet on port 2922(then translated to port 22).

For some reason, the SSH connection randomly gets dropped, most of the time in the middle of typing a command. I don't think it's related to the length of time because I could not type anything (or type very little) and stay connected for a while. Once I start typing a bunch of commands, it will soon disconnect me. If I try doing a "show tech" I'll immediatly get disconnected (even after connecting 5 seconds before). If I try from the LAN side, it works fine. Would this have something to do with the firewall or IDS?

I already tried "crypto key zeroize rsa" to regen my public key but that didn't help.

Any kind of help would be appreciated.

Thanks,

Brandon

Labels:
Preview file
6 KB
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎09-30-2006 11:59 PM

Please try what happens when you remove the tcp keepalives:

no service tcp-keepalives-in

no service tcp-keepalives-out

Also, temporarily switch off the firewall and check what happens. I also have some comment about acl 102 which is probably off topic but will be helpful to improve the performance.

First of all, the list is too long. You can shorten it in the following ways:

ip route 10.0.0.0 255.0.0.0 null0 and so on

use ip routes to drop private ip source traffic instead of an acl. This costs less performance.

You should also put the lines that allow interesting traffic first in the config, i.e.tcp before icmp. This prevents that interesting traffic is subjected to many checks.

Regards,

Leo

0 Helpful

globalnettech
Level 5
Level 5
In response to lgijssel

‎10-01-2006 06:45 AM

Hello Brandon,

what is sitting between your router and the outside (you were talking about a firewall/IDS) ? Try and configure:

crypto isakmp keepalive 10

on your router (in global configuration mode), and see if that makes a difference...

Regards,

GNT

0 Helpful

BrandonMolnar
Level 1
Level 1
In response to globalnettech

‎10-01-2006 07:53 AM

Turns out it was the static NAT translations I had that was screwing up the router. When I connected directly to port 22, it worked fine.

The firewall/IDS I have running is on the 1721 router itself.

0 Helpful

BrandonMolnar
Level 1
Level 1
In response to lgijssel

‎10-01-2006 09:49 AM

Thanks for the tips. I'll move the interesting traffic lines closer to the top.

I figured the ACL was looked at before the routing statements, so it would be faster that way.

0 Helpful
Customers Also Viewed These Support Documents