Bug 1404 - Make keepalive work properly with Cisco PIX/ASA boxes
Summary: Make keepalive work properly with Cisco PIX/ASA boxes
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 4.7p1
Hardware: Other Linux
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-20 04:31 AEDT by JS
Modified: 2008-04-04 10:01 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description JS 2007-12-20 04:31:40 AEDT 
SSH connections through Cisco's PIX and ASA boxes need a more "robust" keepalive feature.

This is probably an issue with other networking equipment also.

Connections are being detected as "idle" even though sshd and ssh client keepalive is enabled with all current versions.

Currently keepalive is not keeping the connection alive :-o
Comment 1 Darren Tucker 2007-12-20 04:56:21 AEDT 
Are you using ClientAliveInverval and ClientAliveCountMax (on the server side) or ServerAliveInterval and ClientAliveCountMax (on the client side)?  

TCPKeepAlive enables the the system-wide TCP keepalive timer on the connection, but that is usually not frequent enough to help with NAT timeouts and the like (~2 hours in many cases).
Comment 2 JS 2007-12-21 01:16:16 AEDT 
Thanks Darren.

I now have in my client config:
        ServerAliveInterval 15
        ServerAliveCountMax 10

And on my server:
        ClientAliveInterval 15
        ClientAliveCountMax 10

This works and my ssh sessions are no-longer disconnected by the Cisco ASA firewall.
Comment 3 Darren Tucker 2007-12-21 02:35:50 AEDT 
You're welcome.  Either of ClientAlive* or ServerAlive* is enough to keep your NAT table state fresh, you don't need both (but it's pretty much harmless to have both).
Comment 4 Damien Miller 2008-04-04 10:01:31 AEDT 
Close resolved bugs after release.