Solved: Re: ASA & SSH-Timeout

patrik.spiess · ‎03-25-2010

Hi

I try to configure my ASA (ASA5520) to have an SSH timeout of 48 hours.

This is the config I use to realize that:

class-map CLASS_MAP_ANY
match any
class-map CLASS_MAP_SSH
match port tcp eq ssh
class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect dns
inspect ip-options
class CLASS_MAP_ANY
set connection random-sequence-number disable
set connection decrement-ttl
class CLASS_MAP_SSH
set connection random-sequence-number disable
set connection timeout idle 48:00:00 reset
set connection decrement-ttl

service-policy global_policy global

With this configuration every SSH connection throught the ASA drops afer exactly 2 hours. (Although the default was 1h).

Does anybody hav a hint for me?

Thanks

Patrik

Jennifer Halim · ‎03-26-2010

Apology, absolute timeout is only for connection with uauth, currently not supported on normal connection.

Can you please move the sequence of your class-map where the CLASS_MAP_SSH class is above CLASS_MAP_ANY class as follows:

policy-map global_policy
class inspection_default
inspect ftp
   inspect h323 h225
inspect h323 ras
inspect rsh
   inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
   inspect icmp error
inspect dns
inspect ip-options

class CLASS_MAP_SSH
   set connection random-sequence-number disable
   set connection timeout idle 48:00:00 reset
   set connection decrement-ttl
class CLASS_MAP_ANY
set connection random-sequence-number disable
   set connection decrement-ttl

View solution in original post

Jennifer Halim · ‎03-26-2010

How is the SSH Client and server connected? Directly off the ASA? or could it be other network device which is set with the absolute TCP timeout of 2 hours, hence the timeout occur? Are they the same SSH server that the client is trying to access? Maybe the SSH server is configured for maximum of 2 hours connection.

The configuration that you have is setting the idle timeout to be 48 hours, not absolute timeout of 48 hours.

patrik.spiess · ‎03-26-2010

The client-network is directly connected.

The server is on the outside interface of the ASA. There are some other routers and switches between, but they seem not to be the problem. If I connect the client to the network which is outside the ASA the timeout does not occur. Even if the same outside routers and switches are between. This let me assume that the timeout occurs on the ASA an not on any other internediate system, and also not on the server.

So, any other ideas?

btw. : what do I the 'absolute timeout' need for and where do I configure that?

Jennifer Halim · ‎03-26-2010

Apology, absolute timeout is only for connection with uauth, currently not supported on normal connection.

Can you please move the sequence of your class-map where the CLASS_MAP_SSH class is above CLASS_MAP_ANY class as follows:

policy-map global_policy
class inspection_default
inspect ftp
   inspect h323 h225
inspect h323 ras
inspect rsh
   inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp
   inspect icmp error
inspect dns
inspect ip-options

class CLASS_MAP_SSH
   set connection random-sequence-number disable
   set connection timeout idle 48:00:00 reset
   set connection decrement-ttl
class CLASS_MAP_ANY
set connection random-sequence-number disable
   set connection decrement-ttl

patrik.spiess · ‎03-29-2010

Thanks to halijenn

This was it. Now my ssh connection works longer than 2 hours.

Great !