Statefull inspection and SSH sessions

Forum|Forum|11 years ago
July 25, 2014
7 replies
14025 views

Hi everyone, I have a general doubt about sessions timeouts in statefull firewalls, in my case using a Fortigate device. Inside my network we have some developers, and they have several SSH conections opened to several external servers (internet). They complain about frequent disconections on their sessions. They claim that a SSH session, once opened, must remains active even without use (idle). They open a session, type some commands, and a few minutes later when they type more commands the session is gone. I checked the ttl times for SSH, and adjust to 10 minutes, but no result. Is there any other adjust that can be done, or are they working " wrong" , keeping the sessions opened? Daniel Lauck

Warren_Olson_FTNT

Staff

Daniel, Are you certain the FortiGate is killing the session and not the remote servers? You could also try enabling null pings within putty(or whatever program youre using) to keep the session alive. The default session TTL should be an hour, at least on 5.2.

Dave_Hall

New Member

I suggest try enabling the TCP keepalive option in your Putty sessions.

Li21143.gif

emnoc

New Member

Other usefull commands; diag sys session ttl to monitor the ssh ports diag sys session filter dport 22 diag sys session list

echo

Explorer II

Hello! I had the same problem after started using FG60D. I tried SSH keepalives, but that didn' t help. I found that there is another way, although I don' t know yet if it works, I just entered this configuration. Our FG60D has " v5.2.0,build0589 (GA)" .

  config system session-ttl          config port              edit 22                  set protocol 6                  set timeout never                  set start-port 22                  set end-port 22              next          end  end

ede_pfau

SuperUser

Putting it together:

 gate # diag sys session ttl  list session timeout:  Default timeout=3600  protocol=17 port=[53-53] timeout=90

emnoc is right in stating that the default session timeout is 3600 seconds. As you can see in my example I' ve shortened DNS session lifespan to 90 seconds on my FGT. So what echo did was to define a protcol/port specific idle session timeout. Assuming the OP has not changed the default it' s clear that the session is closed from the remote side (i.e. the server).

Istvan_Takacs_FTNT

Staff

Also you might need to have a look at a holistic level sometimes to figure why the sessions are dropping. Just found recently during troubleshooting a similar session dropping issue that F5 LTMs on a network will kill the session if they think that either their local session TTL is reached or assuming that nothing is happening because they are not detecting any communication within the session. So if you followed all the other advices above and you still have the issue, you then need to investigate if any other device between your developers and the other end potentially is killing the sessions. The challenge is that sometimes you have no visibility about the full stack, just don' t be quick to jump the gun and blame the FGT.

echo

Explorer II

Now my ssh outside is still up since yesterday so that " config system session-ttl" helped. There is danger, yes, that in time they fill up something, but we don' t have such massive outside ssh.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded