On Mon, Dec 20, 2010 at 10:18:27AM -0600, Chris Adams wrote:
> I don't know about the SRX, but I know with the SSG, the ScreenOS
> default timeout for TCP sessions was way too low (IIRC something like
> 5 minutes) and would cause that.  I turned on SSH keepalives to avoid
> the timeout.

Yep, the SRX does the same thing with regards to timeouts.  The timeout
is 30 minutes for SSH by default, but you can extend it to longer by
adding a custom inactivity-timeout to the junos-ssh application:

{primary:node0}
p...@orb> show configuration applications 
application junos-ssh inactivity-timeout 3600;

The above configuration increases the inactivity timeout to an hour.
For me, I had one session built before I made that change, and one after
(look at the timeout value):

{primary:node0}
p...@orb> show security flow session destination-prefix 10.3.8.18/32 node 0 
node0:
--------------------------------------------------------------------------

Session ID: 8824, Policy name: inbound/4, State: Active, Timeout: 1796, Valid
  In: 10.3.7.149/63197 --> 10.3.8.18/22;tcp, If: reth0.0, Pkts: 61, Bytes: 6901
  Out: 10.3.8.18/22 --> 10.3.7.149/63197;tcp, If: reth2.0, Pkts: 37, Bytes: 9556

Session ID: 8832, Policy name: inbound/4, State: Active, Timeout: 3594, Valid
  In: 10.3.7.149/63198 --> 10.3.8.18/22;tcp, If: reth0.0, Pkts: 55, Bytes: 6445
  Out: 10.3.8.18/22 --> 10.3.7.149/63198;tcp, If: reth2.0, Pkts: 34, Bytes: 7288
Total sessions: 2

Alternatively, you can set the tcp-rst option on the appropriate
zone(s), which will cause SSH sessions to disconnect immediately when
data is sent over an SSH session that's timed-out already:

{primary:node0}[edit]
p...@orb# show security zones security-zone trust                   
tcp-rst;
[...]

Hope this helps!

- Mark

-- 
Mark Kamichoff
p...@prolixium.com
http://www.prolixium.com/

Attachment: signature.asc
Description: Digital signature

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to