Hi,
We having an issues where the SSH keep timeout when idle. This happen only for 1 IP Segment / VLAN.
Not sure if this related to the FW since we have multiple switch in between.
User -> Floor Switch -> CS Switch -> FW -> Servers
When login and idle for 5s, the session close. In the Fortigate i try config session-ttl based on the FG forum, but still same :
onfig system session-ttl config port edit 22 set protocol 6 set timeout never set start-port 22 set end-port 22 next end end
Anyone experience on this ?
TQ
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Asyraf
This 5s timeout is probably configured ad ssh client level or ssh server level.
The session default ttl in FG is 1h if I'm not wrong.
You can run a packet capture to prove it. Filter for ssh port and the test IP - 5s is not a lot to wait. You will see who sends the FIN packet. Also, you can check immediately after if the session is still kept in FG (it should be kept for a max 2s after FIN - so you should be fast)
Hi thanks for the suggestion, based on the packet capture (wireshark), i cant find which device (server / client) sending the FIN packet. For this scenario i run the packet capture on client laptop. After 5 - 10s the session close. We have other server that configured using other network segments, the other segment working fine. Only this segment facing the session time out issues. Also @AEK i did configure new linux server (VM) with default setting also same.
Hi Asyraf
Can you try packet capture from FortiGate and try see who (client or server) sends FIN or RST.
Also can you tell more about this segment? Does it have dual path with LB? does it have the same behavior with other encrypted and unencrypted protocols or only SSH? Are you using deep inspection? ... etc
As @AEK said, the packet capture on client alone doesn't help.
You need the capture on FortiGate CLI, on "any" interface:
diag sniffer packet any "host x.x.x.x and host y.y.y.y" 6 0 l
https://docs.fortinet.com/document/fortigate/7.0.8/administration-guide/680228
Then you convert the text capture to pcap with one of the tools available, for example:
https://github.com/ondrejholecek/sniftran (which also adds the interface label for easy reading)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.