[j-nsp] Juniper SRX and ssh freeze

Mark Kamichoff prox at prolixium.com
Mon Dec 20 12:04:19 EST 2010


On Mon, Dec 20, 2010 at 10:18:27AM -0600, Chris Adams wrote:
> I don't know about the SRX, but I know with the SSG, the ScreenOS
> default timeout for TCP sessions was way too low (IIRC something like
> 5 minutes) and would cause that.  I turned on SSH keepalives to avoid
> the timeout.

Yep, the SRX does the same thing with regards to timeouts.  The timeout
is 30 minutes for SSH by default, but you can extend it to longer by
adding a custom inactivity-timeout to the junos-ssh application:

{primary:node0}
prox at orb> show configuration applications 
application junos-ssh inactivity-timeout 3600;

The above configuration increases the inactivity timeout to an hour.
For me, I had one session built before I made that change, and one after
(look at the timeout value):

{primary:node0}
prox at orb> show security flow session destination-prefix 10.3.8.18/32 node 0 
node0:
--------------------------------------------------------------------------

Session ID: 8824, Policy name: inbound/4, State: Active, Timeout: 1796, Valid
  In: 10.3.7.149/63197 --> 10.3.8.18/22;tcp, If: reth0.0, Pkts: 61, Bytes: 6901
  Out: 10.3.8.18/22 --> 10.3.7.149/63197;tcp, If: reth2.0, Pkts: 37, Bytes: 9556

Session ID: 8832, Policy name: inbound/4, State: Active, Timeout: 3594, Valid
  In: 10.3.7.149/63198 --> 10.3.8.18/22;tcp, If: reth0.0, Pkts: 55, Bytes: 6445
  Out: 10.3.8.18/22 --> 10.3.7.149/63198;tcp, If: reth2.0, Pkts: 34, Bytes: 7288
Total sessions: 2

Alternatively, you can set the tcp-rst option on the appropriate
zone(s), which will cause SSH sessions to disconnect immediately when
data is sent over an SSH session that's timed-out already:

{primary:node0}[edit]
prox at orb# show security zones security-zone trust                   
tcp-rst;
[...]

Hope this helps!

- Mark

-- 
Mark Kamichoff
prox at prolixium.com
http://www.prolixium.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20101220/b4058d45/attachment.bin>


More information about the juniper-nsp mailing list