Re: [j-nsp] Juniper SRX and ssh freeze
On 23/12/10 21:34, Florian Weimer wrote: * Julien Goodwin: For my SRX at the office back when I installed it (9.6 IIRC) *TCP* keepalives would not extend session timeouts, but *SSH* keepalives worked very well, that's the ServerAliveInterval setting in OpenSSH. Typically, TCP keepalives happen at such long intervals that they do not keep firewall state alive. In my specific case (whinging admin in internal IT, not production) they were at least every minute. We do actually have some systems that are so old/weird they don't support the ServerAliveInterval, but they're all fairly minor so it's not usually a problem. -- Julien Goodwin Studio442 Blue Sky Solutioneering ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
* Julien Goodwin: For my SRX at the office back when I installed it (9.6 IIRC) *TCP* keepalives would not extend session timeouts, but *SSH* keepalives worked very well, that's the ServerAliveInterval setting in OpenSSH. Typically, TCP keepalives happen at such long intervals that they do not keep firewall state alive. -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
Dnia 10-12-20 18:04 użytkownik „Mark Kamichoff” p...@prolixium.com
napisał:
On Mon, Dec 20, 2010 at 10:18:27AM -0600, Chris Adams wrote:
I don't know about the SRX, but I know with the SSG, the ScreenOS
default timeout for TCP sessions was way too low (IIRC something like
5 minutes) and would cause that. I turned on SSH keepalives to avoid
the timeout.
Yep, the SRX does the same thing with regards to timeouts. The timeout
is 30 minutes for SSH by default, but you can extend it to longer by
adding a custom inactivity-timeout to the junos-ssh application:
{primary:node0}
p...@orb show configuration applications
application junos-ssh inactivity-timeout 3600;
Does junos-ssh applies to any ssh traffic - the one to the srx itself, and
the one to the servers behind an SRX firewall?
Alternatively, you can set the tcp-rst option on the appropriate
zone(s), which will cause SSH sessions to disconnect immediately when
data is sent over an SSH session that's timed-out already:
{primary:node0}[edit]
p...@orb# show security zones security-zone trust
tcp-rst;
[...]
I'll try that.
Thanks :)
Mjb
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
On Wed, Dec 22, 2010 at 07:43:30PM +0100, Maciej Jan Broniarz wrote:
{primary:node0}
p...@orb show configuration applications
application junos-ssh inactivity-timeout 3600;
Does junos-ssh applies to any ssh traffic - the one to the srx itself,
and the one to the servers behind an SRX firewall?
In my experience, both.
(unless you're connected via the fxp0 interface in a cluster, which I
believe is excluded from the flow/state tracking)
- Mark
--
Mark Kamichoff
p...@prolixium.com
http://www.prolixium.com/
signature.asc
Description: Digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
Hello I don't know about the SRX, but I know with the SSG, the ScreenOS default timeout for TCP sessions was way too low (IIRC something like 5 minutes) and would cause that. I turned on SSH keepalives to avoid the timeout. Does SRX support ssh keepalive (like M- or J-serie)? SSGs drop the ssh session if they get a keepalive. Juniper isn't willing to fix this in the near future ;-( Regards, Alf ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
On 22/12/10 04:53, Alfred Schweder wrote: Does SRX support ssh keepalive (like M- or J-serie)? SSGs drop the ssh session if they get a keepalive. Juniper isn't willing to fix this in the near future ;-( For my SRX at the office back when I installed it (9.6 IIRC) *TCP* keepalives would not extend session timeouts, but *SSH* keepalives worked very well, that's the ServerAliveInterval setting in OpenSSH. It's arguable whether this is correct, but as everything I use supports the SSH keepalives it works for me, as well as being much better at noticing when a connection *does* drop. -- Julien Goodwin Studio442 Blue Sky Solutioneering ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
Yes it is supported in SRX, and you are right not supported in ScreenOS, it drops it. Thanks! - Barny On Dec 21, 2010, at 8:08 PM, Julien Goodwin jgood...@studio442.com.au wrote: On 22/12/10 04:53, Alfred Schweder wrote: Does SRX support ssh keepalive (like M- or J-serie)? SSGs drop the ssh session if they get a keepalive. Juniper isn't willing to fix this in the near future ;-( For my SRX at the office back when I installed it (9.6 IIRC) *TCP* keepalives would not extend session timeouts, but *SSH* keepalives worked very well, that's the ServerAliveInterval setting in OpenSSH. It's arguable whether this is correct, but as everything I use supports the SSH keepalives it works for me, as well as being much better at noticing when a connection *does* drop. -- Julien Goodwin Studio442 Blue Sky Solutioneering ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
Once upon a time, Maciej Jan Broniarz gau...@gausus.net said: I have a bunch of servers connected to an Juniper SRX. When I log on them via ssh everything is fine, but when I leave the session idle for a few minutes it freezes and i have to close the connection and login again. What might be the issue here? The problem only occurs when I connect to a server behind an SRX device. I don't know about the SRX, but I know with the SSG, the ScreenOS default timeout for TCP sessions was way too low (IIRC something like 5 minutes) and would cause that. I turned on SSH keepalives to avoid the timeout. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Juniper SRX and ssh freeze
On Mon, Dec 20, 2010 at 10:18:27AM -0600, Chris Adams wrote:
I don't know about the SRX, but I know with the SSG, the ScreenOS
default timeout for TCP sessions was way too low (IIRC something like
5 minutes) and would cause that. I turned on SSH keepalives to avoid
the timeout.
Yep, the SRX does the same thing with regards to timeouts. The timeout
is 30 minutes for SSH by default, but you can extend it to longer by
adding a custom inactivity-timeout to the junos-ssh application:
{primary:node0}
p...@orb show configuration applications
application junos-ssh inactivity-timeout 3600;
The above configuration increases the inactivity timeout to an hour.
For me, I had one session built before I made that change, and one after
(look at the timeout value):
{primary:node0}
p...@orb show security flow session destination-prefix 10.3.8.18/32 node 0
node0:
--
Session ID: 8824, Policy name: inbound/4, State: Active, Timeout: 1796, Valid
In: 10.3.7.149/63197 -- 10.3.8.18/22;tcp, If: reth0.0, Pkts: 61, Bytes: 6901
Out: 10.3.8.18/22 -- 10.3.7.149/63197;tcp, If: reth2.0, Pkts: 37, Bytes: 9556
Session ID: 8832, Policy name: inbound/4, State: Active, Timeout: 3594, Valid
In: 10.3.7.149/63198 -- 10.3.8.18/22;tcp, If: reth0.0, Pkts: 55, Bytes: 6445
Out: 10.3.8.18/22 -- 10.3.7.149/63198;tcp, If: reth2.0, Pkts: 34, Bytes: 7288
Total sessions: 2
Alternatively, you can set the tcp-rst option on the appropriate
zone(s), which will cause SSH sessions to disconnect immediately when
data is sent over an SSH session that's timed-out already:
{primary:node0}[edit]
p...@orb# show security zones security-zone trust
tcp-rst;
[...]
Hope this helps!
- Mark
--
Mark Kamichoff
p...@prolixium.com
http://www.prolixium.com/
signature.asc
Description: Digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
