who does session disconnects

I'm trying to have my ssh session disconnect after so many minutes of inactivity and while I was searching, seem to have come across something that says my cisco firewalls (501) will do this? I initially thought it was w/ ssh somewhere's.

Is this correct that? And if so, should it be done in the firewall, or better to do it on the server?

Reply to
Ender
Loading thread data ...

The server doesn't really have a good way to terminate a session after a given time. If you are ssh'ing into a Unix shell, some of them (tcsh comes to mind) does have an inactivity timer such that you'll be timed out and logged off after x minutes of inactivity. Others do not have this feature.

Firewalls also have session limits on their TCP streams. I typically go through and have to set the default session limit up to infinity for ssh as I like staying logged in, and will logout specificly if I'm at a remote insecure location. The default is usually something reasonable, usually 30 minutes of inactivity on a TCP stream.

Reply to
Doug McIntyre

What are you asking? Are you asking if a SSH connection from a SSH client to a SSH server like a UNIX system is terminated by the client and server or because a firewall in the middle terminates the session for them? If that is your question then your answer is that the SSH client and SSH server applications initiate and terminate SSH connections, not any device in between, unless there is a disconnection in the network path between them. Cisco routers, switches, firewalls, VPN concentrators, and wireless access points can be connected to by telnet and also by SSH for managing the devices, among other methods. If a SSH connection is desired to the device for managing it, most likely for SSH's encrypted connection to protect against password sniffing, the IOS of the device (or PIX image or VPN image) must support SSH connections. The timeout of the SSH session is set in seconds in IOS and minutes on a PIX/ASA by a command below. Use the commands listed below to enable the SSH hosting on the device for connections to the device to manage the device:

IOS:

Reply to
Scott Perry

I have an ssh client on one network coming through my firewall onto a server w/ an sshd running. I want to know if there is a period of say

15 minutes of inactivity, can the pix 501 drop the session. The obvious is that the client and server initiate and terminate the sessions, but ... does the 501 support this same feature? I don't mean to ssh'ing to the console on the firewall device to manage the device. Which is what it looks like your saying those commands do.

Only reason I'm asking if the pix can do it is that I saw those commands and haven't found any for my ssh server doing the disconnect yet.

Reply to
Ender

I really seriously doubt it. My first answer is to say no, that there is no way that a Cisco PIX firewall will terminate your SSH session after a period of inactivity for you. Think of it like this: The SSH session is secure shell - an encrypted connection. How is the PIX to know when it is active or inactive? There will be TCP keepalives going back and forth and perhaps some data from the SSH server to the client, but the PIX would not know what is in the SSH data. The commands you saw were for SSH clients connecting to the Cisco PIX firewall itself for the purpose of managing the firewall.

Reply to
Scott Perry

I don't know PIX, but many firewalls have the ability to terminate idle connections of any type. The firewall should be able to tell the difference between TCP keepalives and actual data packets. It can't tell what's IN the data packets if they're encrypted, but why would it need to? All it needs to know is whether any application-layer data is being transmitted over the connection.

Reply to
Barry Margolin

That's what I'm thinking, I mean, if a client has to send a keep alive, then it must be for some purpose like ... don't drop the connection because I want it "kept alive", I keep seeing hints to this from firewalls that drop idle connections, but can't find the specifics. Just hoping my $500 501 would somehow support this, where I'd rather have it done than have to configure ssh stuff on every box.

Reply to
Ender

Indeed, every stateful firewall has the ability to terminate idle connections. They must have, if not the state table would never stop growing. Whenever a packet that matches a state-table entry goes through the firewall, it will reset that entry's timer. If an entry has not been in use for say 1 hour, a process will declare that connection dead, and erase it. Many applications avoid this by sending keep-alive packets.

On pix this timeout is set by "timeout xlate". I don't know pix very well, but one some firewalls, you can adjust the timeout pr port basis. So you can say that the default timeout is 1 hour, but for port 22 tcp, it's 24 hours.

-- Erik

Reply to
Erik Dahle

TCP keepalives are misnamed. They're not used to keep anything alive, they're used to detect failure. The stack periodically sends an empty segment, and checks whether it gets acknowledged. If there's no acknowledgement (after a suitable number of retries), the other end can be presumed to be dead. Also, if the other end crashed and rebooted while the connection was idle, the keepalives should prompt it to respond with RST.

I don't know whether the PIX considers a connection that has only had keepalive's to be idle or active.

Reply to
Barry Margolin

Here is a sample of some of the timeout commands from a Cisco ASA firewall:

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

timeout xlate 0:05:00 timeout conn 0:50:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

Almost the same layout for PIX or ASA, accounting for differences in platform and image version. To go beyond this default set of commands for a connection timeout, a class map can be configured for a certian type of network traffic. For example, an access-list can be entered into the class map permitting any any traffic destined for TCP port 22. That class map can then be used to configure a specific timeout for that traffic class.

access-list SSHtraffic extended permit any any eq 22 class-map SSHconnections description Any SSH network traffic match access-list SSHtraffic policy-map SSHtimeout class SSHconnections set connection timeout tcp 00:05:00 reset service policy SSHtimeout interface outside

Reply to
Scott Perry

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.