openssh unix dev - Feb 2018 - Established connection timing out

I don't believe you've said: are the disconnects happening during
periods
of idleness on the connection, or periods of activity? If idleness, some 
device or script could be actively doing a disconnect-on-idle.

On Mon, 26 Feb 2018, Kip Warner wrote:
> Hey list,
>
> I've read the man page for both the client and server daemon, so either
> I missed something or this isn't an SSH issue but something going on
> with perhaps routers or MTUs.
>
> I am having problems with already established connections to a remote
> server timing out after a few minutes. I connect either over ssh or via
> rsync tunnelled over the former.
>
> On the client side eventually I just see a whole pile of messages like
> this, but no rsync traffic appears occurring:
>
>    debug1: client_input_channel_req: channel 0 rtype     keepalive at ope
> nssh.com     reply 1
>
> I've monitored both the client and server via strace and neither
> machine appears to have "died" from some kind of memory
exhaustion,
> bandwidth issue, etc. Both appear to simply be waiting for the other to
> do something.
>
> Since my client side rsync is running as root, I tried to modify
> /etc/ssh_config to try and keep the connection alive. This is the
> client side /etc/ssh_config
>
>    Host *
>
>        ServerAliveInterval 5
>        ServerAliveCountMax 20
>
> And this is the server side /etc/sshd_config:
>
>    Port 22
>    Protocol 2
>    HostKey /etc/ssh/ssh_host_rsa_key
>    HostKey /etc/ssh/ssh_host_dsa_key
>    HostKey /etc/ssh/ssh_host_ecdsa_key
>    UsePrivilegeSeparation yes
>
>    KeyRegenerationInterval 3600
>    ServerKeyBits 768
>
>    SyslogFacility AUTH
>    LogLevel INFO
>
>    LoginGraceTime 120
>    PermitRootLogin yes
>    StrictModes yes
>
>    RSAAuthentication yes
>    PubkeyAuthentication yes
>    AuthorizedKeysFile	%h/.ssh/authorized_keys
>
>    IgnoreRhosts yes
>    RhostsRSAAuthentication no
>    HostbasedAuthentication no
>
>    PermitEmptyPasswords no
>
>    ChallengeResponseAuthentication no
>
>    X11Forwarding yes
>    X11DisplayOffset 10
>    PrintMotd no
>    PrintLastLog yes
>
>    AcceptEnv LANG LC_*
>
>    Subsystem sftp /usr/lib/openssh/sftp-server
>
>    UsePAM yes
>
>    UseDNS no
>
>    ClientAliveCountMax 20
>    ClientAliveInterval 5
>
> The latter two options I'm assuming are the most important here, but
> they don't seem to do anything.
>
> Any help appreciated.
>
> -- 
> Kip Warner | Senior Software Engineer
> OpenPGP signed/encrypted mail preferred
> https://www.cartesiantheatre.com
Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.

personal e-mail: ras at anzio.com
  company e-mail: rsi at anzio.com
           voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
             fax: (US) 503-624-0760
             web: http://www.anzio.com
  street address: Rasmussen Software, Inc.
                  10240 SW Nimbus, Suite L9
                  Portland, OR  97223  USA

On 27 February 2018 at 13:34, Bob Rasmussen <ras at anzio.com>
wrote:
> I don't believe you've said: are the disconnects happening during
periods of
> idleness on the connection, or periods of activity? If idleness, some
device
> or script could be actively doing a disconnect-on-idle.
"ServerAliveInterval 5" and "ClientAliveInterval 5" should
ensure that
there are no periods of network idleness (which is supported by the
reported keepalive at ope
nssh.com debug messages).

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Mon, 2018-02-26 at 18:34 -0800, Bob Rasmussen wrote:
> I don't believe you've said: are the disconnects happening during
> periods of idleness on the connection, or periods of activity? If
> idleness, some  device or script could be actively doing a
> disconnect-on-idle.
Actually both. See my response to Nathan. Sorry, just got to this thread.

-- 
Kip Warner | Senior Software Engineer
OpenPGP signed/encrypted mail preferred
https://www.cartesiantheatre.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180227/abad2d5a/attachment.asc>

On Tue, 2018-02-27 at 13:47 +1100, Darren Tucker wrote:
> "ServerAliveInterval 5" and "ClientAliveInterval 5"
should ensure
> that there are no periods of network idleness (which is supported by
> the reported keepalive at openssh.com debug messages).
Yup. Exactly. I don't have physical access to the NAT, but it's
apparently a really shitty crusty old D-Link.

-- 
Kip Warner | Senior Software Engineer
OpenPGP signed/encrypted mail preferred
https://www.cartesiantheatre.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180227/fbed6f97/attachment-0001.asc>