https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400004#M684833 <HTML><HEAD></HEAD><BODY><P>How is the SSH Client and server connected? Directly off the ASA? or could it be other network device which is set with the absolute TCP timeout of 2 hours, hence the timeout occur? Are they the same SSH server that the client is trying to access? Maybe the SSH server is configured for maximum of 2 hours connection.</P><P></P><P>The configuration that you have is setting the idle timeout to be 48 hours, not absolute timeout of 48 hours.</P></BODY></HTML> Fri, 26 Mar 2010 10:41:20 GMT Jennifer Halim 2010-03-26T10:41:20Z https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400003#M684831 <P>Hi</P><P></P><P>I try to configure my ASA (ASA5520) to have an SSH timeout of 48 hours.</P><P><BR />This is the config I use to realize that:</P><P></P><P>class-map CLASS_MAP_ANY<BR /> match any<BR />class-map CLASS_MAP_SSH<BR /> match port tcp eq ssh<BR />class-map inspection_default<BR /> match default-inspection-traffic</P><P></P><P>policy-map global_policy<BR /> class inspection_default<BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect rsh <BR />&nbsp; inspect rtsp <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect sunrpc <BR />&nbsp; inspect xdmcp <BR />&nbsp; inspect netbios <BR />&nbsp; inspect tftp <BR />&nbsp; inspect icmp <BR />&nbsp; inspect icmp error <BR />&nbsp; inspect dns <BR />&nbsp; inspect ip-options <BR /> class CLASS_MAP_ANY<BR />&nbsp; set connection random-sequence-number disable<BR />&nbsp; set connection decrement-ttl<BR /> class CLASS_MAP_SSH<BR />&nbsp; set connection random-sequence-number disable<BR />&nbsp; set connection timeout idle 48:00:00 reset <BR />&nbsp; set connection decrement-ttl</P><P></P><P>service-policy global_policy global</P><P></P><P></P><P>With this configuration every SSH connection throught the ASA drops afer exactly 2 hours. (Although the default was 1h).</P><P></P><P>Does anybody hav a hint for me?</P><P></P><P></P><P>Thanks</P><P>Patrik</P> Mon, 11 Mar 2019 17:26:13 GMT https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400003#M684831 patrik.spiess 2019-03-11T17:26:13Z https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400004#M684833 <HTML><HEAD></HEAD><BODY><P>How is the SSH Client and server connected? Directly off the ASA? or could it be other network device which is set with the absolute TCP timeout of 2 hours, hence the timeout occur? Are they the same SSH server that the client is trying to access? Maybe the SSH server is configured for maximum of 2 hours connection.</P><P></P><P>The configuration that you have is setting the idle timeout to be 48 hours, not absolute timeout of 48 hours.</P></BODY></HTML> Fri, 26 Mar 2010 10:41:20 GMT https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400004#M684833 Jennifer Halim 2010-03-26T10:41:20Z https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400005#M684838 <HTML><HEAD></HEAD><BODY><P>The client-network is directly connected.</P><P>The server is on the outside interface of the ASA. There are some other routers and switches between, but they seem not to be the problem. If I connect the client to the network which is outside the ASA the timeout does not occur. Even if the same outside routers and switches are between. This let me assume that the timeout occurs on the ASA an not on any other internediate system, and also not on the server.</P><P></P><P><BR />So, any other ideas?</P><P>btw. : what do I the 'absolute timeout' need for and where do I configure that?</P></BODY></HTML> Fri, 26 Mar 2010 11:18:23 GMT https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400005#M684838 patrik.spiess 2010-03-26T11:18:23Z https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400006#M684842 <HTML><HEAD></HEAD><BODY><P>Apology, absolute timeout is only for connection with uauth, currently not supported on normal connection.</P><P></P><P>Can you please move the sequence of your class-map where the CLASS_MAP_SSH class is above CLASS_MAP_ANY class as follows:</P><P>policy-map global_policy<BR /> class inspection_default<BR />&nbsp; inspect ftp <BR />&nbsp;&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect rsh <BR />&nbsp;&nbsp; inspect rtsp <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect sunrpc <BR />&nbsp; inspect&nbsp; xdmcp <BR />&nbsp; inspect netbios <BR />&nbsp; inspect tftp <BR />&nbsp; inspect icmp <BR />&nbsp;&nbsp; inspect icmp error <BR />&nbsp; inspect dns <BR />&nbsp; inspect ip-options</P><P>class CLASS_MAP_SSH<BR />&nbsp;&nbsp; set connection&nbsp; random-sequence-number disable<BR />&nbsp;&nbsp; set connection timeout idle&nbsp; 48:00:00 reset <BR />&nbsp;&nbsp; set connection decrement-ttl<BR /> class&nbsp; CLASS_MAP_ANY<BR />&nbsp; set connection random-sequence-number disable<BR />&nbsp;&nbsp; set connection decrement-ttl</P></BODY></HTML> Fri, 26 Mar 2010 11:46:07 GMT https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400006#M684842 Jennifer Halim 2010-03-26T11:46:07Z https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400007#M684853 <HTML><HEAD></HEAD><BODY><P>Thanks to halijenn</P><P>This was it. Now my ssh connection works longer than 2 hours.</P><P></P><P>Great !</P></BODY></HTML> Mon, 29 Mar 2010 08:30:00 GMT https://community.cisco.com/t5/network-security/asa-ssh-timeout/m-p/1400007#M684853 patrik.spiess 2010-03-29T08:30:00Z