thr3ads.net - openssh bugs - [Bug 1404] New: Make keepalive work properly with Cisco PIX/ASA boxes [Dec 2007]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2007-Dec-19 17:31 UTC

[Bug 1404] New: Make keepalive work properly with Cisco PIX/ASA boxes

https://bugzilla.mindrot.org/show_bug.cgi?id=1404

           Summary: Make keepalive work properly with Cisco PIX/ASA boxes
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: jakob at f-prot.com


SSH connections through Cisco's PIX and ASA boxes need a more
"robust"
keepalive feature.

This is probably an issue with other networking equipment also.

Connections are being detected as "idle" even though sshd and ssh
client keepalive is enabled with all current versions.

Currently keepalive is not keeping the connection alive :-o

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2007-Dec-19 17:56 UTC

head link

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

https://bugzilla.mindrot.org/show_bug.cgi?id=1404


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au




--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  2007-12-20
04:56:21 ---
Are you using ClientAliveInverval and ClientAliveCountMax (on the
server side) or ServerAliveInterval and ClientAliveCountMax (on the
client side)?  

TCPKeepAlive enables the the system-wide TCP keepalive timer on the
connection, but that is usually not frequent enough to help with NAT
timeouts and the like (~2 hours in many cases).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2007-Dec-20 14:16 UTC

head link

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

https://bugzilla.mindrot.org/show_bug.cgi?id=1404


JS <jakob at f-prot.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #2 from JS <jakob at f-prot.com>  2007-12-21 01:16:16 ---
Thanks Darren.

I now have in my client config:
        ServerAliveInterval 15
        ServerAliveCountMax 10

And on my server:
        ClientAliveInterval 15
        ClientAliveCountMax 10

This works and my ssh sessions are no-longer disconnected by the Cisco
ASA firewall.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2007-Dec-20 15:35 UTC

head link

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

https://bugzilla.mindrot.org/show_bug.cgi?id=1404





--- Comment #3 from Darren Tucker <dtucker at zip.com.au>  2007-12-21
02:35:50 ---
You're welcome.  Either of ClientAlive* or ServerAlive* is enough to
keep your NAT table state fresh, you don't need both (but it's pretty
much harmless to have both).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2008-Apr-03 23:01 UTC

head link

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

https://bugzilla.mindrot.org/show_bug.cgi?id=1404


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added                       
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED                      




--- Comment #4 from Damien Miller <djm at mindrot.org>  2008-04-04
10:01:31 ---
Close resolved bugs after release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

Possibly Parallel Threads

Search for more reasonably related threads

openssh bugs - Dec 2007 - [Bug 1404] New: Make keepalive work properly with Cisco PIX/ASA boxes

[Bug 1404] New: Make keepalive work properly with Cisco PIX/ASA boxes

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

[Bug 1404] Make keepalive work properly with Cisco PIX/ASA boxes

Possibly Parallel Threads