https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852395#M489401 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>If you're sure you want to disable the timeout, suggestion 2 is the recommended method because it will only affect SSH traffic and not every TCP connection through the firewall (which will eventually consume all resources if conns don't gracefully close). To achieve an unlimited timeout, you set the idle timer to 0:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">set connection timeout idle 0</PRE><P></P><P>Another feature that you may want to look into, though, is dead connection detection ('set connection timeout dcd'). This is a better method than an infinite timeout because only connections that still have an active socket on both endpoints will be kept open by the firewall. You can read about this feature here:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_connlimits.html#wp1080752">http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_connlimits.html#wp1080752</A></P><P></P><P>-Mike</P></BODY></HTML> Thu, 05 Jan 2012 14:45:13 GMT mirober2 2012-01-05T14:45:13Z https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852394#M489399 <P>Hi,</P><P></P><P>Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed </P><P>every n minutes. I've seen two recommendations for altering the timeout values, and <STRONG>what I am interested in is infinite timeout (0)</STRONG> for these SSH tunnels.</P><P></P><P>Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)?</P><P><EM>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</EM></P><P></P><P>Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?</P><P></P><P><EM>class CLASS_MAP_SSH</EM></P><P><EM>&nbsp;&nbsp; set connection&nbsp; random-sequence-number disable</EM></P><P><EM>&nbsp;&nbsp; set connection timeout idle&nbsp; 48:00:00 reset </EM></P><P><EM>&nbsp;&nbsp; set connection decrement-ttl</EM></P><P></P><P>Thanks in advance</P> Mon, 11 Mar 2019 22:10:15 GMT https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852394#M489399 3moloz123 2019-03-11T22:10:15Z https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852395#M489401 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>If you're sure you want to disable the timeout, suggestion 2 is the recommended method because it will only affect SSH traffic and not every TCP connection through the firewall (which will eventually consume all resources if conns don't gracefully close). To achieve an unlimited timeout, you set the idle timer to 0:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">set connection timeout idle 0</PRE><P></P><P>Another feature that you may want to look into, though, is dead connection detection ('set connection timeout dcd'). This is a better method than an infinite timeout because only connections that still have an active socket on both endpoints will be kept open by the firewall. You can read about this feature here:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_connlimits.html#wp1080752">http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_connlimits.html#wp1080752</A></P><P></P><P>-Mike</P></BODY></HTML> Thu, 05 Jan 2012 14:45:13 GMT https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852395#M489401 mirober2 2012-01-05T14:45:13Z https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852396#M489402 <HTML><HEAD></HEAD><BODY><P>Hey Mike,</P><P></P><P>Thank you for the answer. I do however wonder if "CLASS_MAP_SSH" is a known value to the ASA (ie it knows to match tcp port 22), or must I within the class match ssh traffic (by matching a ACL)?</P><P></P><P>Thanks,</P></BODY></HTML> Thu, 05 Jan 2012 15:28:37 GMT https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852396#M489402 3moloz123 2012-01-05T15:28:37Z https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852397#M489403 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It is not a built-in class-map so you'd have to define it. The full config would look like this:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>class-map CLASS_MAP_SSH</P><P>&nbsp;&nbsp; match port tcp eq 22</P><P>policy-map global_policy</P><P>&nbsp;&nbsp; class CLASS_MAP_SSH</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set connection timeout...</P><P>service-policy global_policy global</P></PRE><P></P><P>or</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>access-list ssh permit tcp any any eq 22</P><P>class-map CLASS_MAP_SSH</P><P>&nbsp;&nbsp; match access-list ssh</P><P>policy-map global_policy</P><P>&nbsp;&nbsp; class CLASS_MAP_SSH</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; set connection timeout...</P><P>service-policy global_policy global</P></PRE><P></P><P>-Mike</P></BODY></HTML> Thu, 05 Jan 2012 15:33:29 GMT https://community.cisco.com/t5/network-security/disabling-timeouts-which-affect-ssh-tunnels/m-p/1852397#M489403 mirober2 2012-01-05T15:33:29Z