Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2018
Views
0
Helpful
3
Replies

Disabling timeouts which affect SSH tunnels

Go to solution
3moloz123
Level 1
Level 1

‎01-05-2012 12:52 AM - edited ‎03-11-2019 03:10 PM

Hi,

Im running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed

every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.

Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)?

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?

class CLASS_MAP_SSH

   set connection  random-sequence-number disable

   set connection timeout idle  48:00:00 reset

   set connection decrement-ttl

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to 3moloz123

‎01-05-2012 07:33 AM

Hello,

It is not a built-in class-map so you'd have to define it. The full config would look like this:

class-map CLASS_MAP_SSH
   match port tcp eq 22
policy-map global_policy
   class CLASS_MAP_SSH
       set connection timeout...
service-policy global_policy global

or

access-list ssh permit tcp any any eq 22
class-map CLASS_MAP_SSH
   match access-list ssh
policy-map global_policy
   class CLASS_MAP_SSH
       set connection timeout...
service-policy global_policy global

-Mike

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎01-05-2012 06:45 AM

Hello,

If you're sure you want to disable the timeout, suggestion 2 is the recommended method because it will only affect SSH traffic and not every TCP connection through the firewall (which will eventually consume all resources if conns don't gracefully close). To achieve an unlimited timeout, you set the idle timer to 0:

set connection timeout idle 0

Another feature that you may want to look into, though, is dead connection detection ('set connection timeout dcd'). This is a better method than an infinite timeout because only connections that still have an active socket on both endpoints will be kept open by the firewall. You can read about this feature here:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/conns_connlimits.html#wp1080752

-Mike

0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to mirober2

‎01-05-2012 07:28 AM

Hey Mike,

Thank you for the answer. I do however wonder if "CLASS_MAP_SSH" is a known value to the ASA (ie it knows to match tcp port 22), or must I within the class match ssh traffic (by matching a ACL)?

Thanks,

0 Helpful

Go to solution
mirober2
Cisco Employee
Cisco Employee
In response to 3moloz123

‎01-05-2012 07:33 AM

Hello,

It is not a built-in class-map so you'd have to define it. The full config would look like this:

class-map CLASS_MAP_SSH
   match port tcp eq 22
policy-map global_policy
   class CLASS_MAP_SSH
       set connection timeout...
service-policy global_policy global

or

access-list ssh permit tcp any any eq 22
class-map CLASS_MAP_SSH
   match access-list ssh
policy-map global_policy
   class CLASS_MAP_SSH
       set connection timeout...
service-policy global_policy global

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card