Bug 1404

Summary: Make keepalive work properly with Cisco PIX/ASA boxes
Product: Portable OpenSSH Reporter: JS <jakob>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: dtucker
Priority: P2    
Version: 4.7p1   
Hardware: Other   
OS: Linux   

Description JS 2007-12-20 04:31:40 AEDT 
SSH connections through Cisco's PIX and ASA boxes need a more "robust" keepalive feature.

This is probably an issue with other networking equipment also.

Connections are being detected as "idle" even though sshd and ssh client keepalive is enabled with all current versions.

Currently keepalive is not keeping the connection alive :-o
Comment 1 Darren Tucker 2007-12-20 04:56:21 AEDT 
Are you using ClientAliveInverval and ClientAliveCountMax (on the server side) or ServerAliveInterval and ClientAliveCountMax (on the client side)?  

TCPKeepAlive enables the the system-wide TCP keepalive timer on the connection, but that is usually not frequent enough to help with NAT timeouts and the like (~2 hours in many cases).
Comment 2 JS 2007-12-21 01:16:16 AEDT 
Thanks Darren.

I now have in my client config:
        ServerAliveInterval 15
        ServerAliveCountMax 10

And on my server:
        ClientAliveInterval 15
        ClientAliveCountMax 10

This works and my ssh sessions are no-longer disconnected by the Cisco ASA firewall.
Comment 3 Darren Tucker 2007-12-21 02:35:50 AEDT 
You're welcome.  Either of ClientAlive* or ServerAlive* is enough to keep your NAT table state fresh, you don't need both (but it's pretty much harmless to have both).
Comment 4 Damien Miller 2008-04-04 10:01:31 AEDT 
Close resolved bugs after release.