On Mon, Dec 20, 2010 at 10:18:27AM -0600, Chris Adams wrote: > I don't know about the SRX, but I know with the SSG, the ScreenOS > default timeout for TCP sessions was way too low (IIRC something like > 5 minutes) and would cause that. I turned on SSH keepalives to avoid > the timeout.
Yep, the SRX does the same thing with regards to timeouts. The timeout is 30 minutes for SSH by default, but you can extend it to longer by adding a custom inactivity-timeout to the junos-ssh application: {primary:node0} p...@orb> show configuration applications application junos-ssh inactivity-timeout 3600; The above configuration increases the inactivity timeout to an hour. For me, I had one session built before I made that change, and one after (look at the timeout value): {primary:node0} p...@orb> show security flow session destination-prefix 10.3.8.18/32 node 0 node0: -------------------------------------------------------------------------- Session ID: 8824, Policy name: inbound/4, State: Active, Timeout: 1796, Valid In: 10.3.7.149/63197 --> 10.3.8.18/22;tcp, If: reth0.0, Pkts: 61, Bytes: 6901 Out: 10.3.8.18/22 --> 10.3.7.149/63197;tcp, If: reth2.0, Pkts: 37, Bytes: 9556 Session ID: 8832, Policy name: inbound/4, State: Active, Timeout: 3594, Valid In: 10.3.7.149/63198 --> 10.3.8.18/22;tcp, If: reth0.0, Pkts: 55, Bytes: 6445 Out: 10.3.8.18/22 --> 10.3.7.149/63198;tcp, If: reth2.0, Pkts: 34, Bytes: 7288 Total sessions: 2 Alternatively, you can set the tcp-rst option on the appropriate zone(s), which will cause SSH sessions to disconnect immediately when data is sent over an SSH session that's timed-out already: {primary:node0}[edit] p...@orb# show security zones security-zone trust tcp-rst; [...] Hope this helps! - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/
signature.asc
Description: Digital signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp