Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Annoying SSH timeouts with Cisco ASA (5540, 5500)

Status
Not open for further replies.
forrie

forrie

MIS
Mar 6, 2009
91
US
Since installing our Cisco ASA's to replace the old klunker Nokias, we've had problems with people's SSH sessions timing out due to idle activity. This was never a problem before, therefore we weren't doing anything particular with SSHD itself.

I notice there is a timeout for SSH in the config, but best I can tell, that is either universal or is specific to the management connection.

Can someone elaborate? I would like to disable it - I get enough complaints from our dev people and my own sessions from home (over VPN) time out (thankfully, I use "screen")...

Thanks.
 
Sort by date Sort by votes
the reason for the timeout value is for security purposes. you can set the timeout to 0 and it will remain open until you explicitly close it. make sure you lock your workstation if you walk away from it for an extended period of time.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
We restrict access to the ASA to the inside network, so I'm not worried.

So, just to clarify, this value affects all SSH sessions universally. It seems counter-intuitive -- unless I misunderstand the config directive, it should be more flexible. I can understand restricting timeout TO the management/ASA itself, but having that same variable affect other SSH connections on the internal RFC networks is quite annoying.

Am I understanding this correctly?

Thank you.
 
Upvote 0 Downvote
so you're not concerned with SSH traffic TO the ASA, you're concerned with SSH traffic passing THROUGH the ASA??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
We allow SSH traffic to the ASA from inside the network(s).

But passing through the ASA, on our internal networks and also via VPN, we experience the timeouts -- and I get complaints from the developers. It happens to me, too.

I haven't figured out how to disable it.

 
Upvote 0 Downvote
you can chaged the tcp timeout global configuration which will resolve your passthrough ssh timeout issue. The default timeout is 30 min. You can change it via below command.

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Regards,
Mustafa Gnagardiwala

Mustafa Gangardiwala
CCIE-Security # 16253, CISA
CISM,CISSP,INFOSEC, MCSE, CNE
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
664
Sameer258
Sameer258
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
438
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
624
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
313
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top