[j-nsp] Juniper SRX and ssh freeze
Maciej Jan Broniarz
gausus at gausus.net
Wed Dec 22 13:43:30 EST 2010
Dnia 10-12-20 18:04 użytkownik „Mark Kamichoff” <prox at prolixium.com>
napisał:
>On Mon, Dec 20, 2010 at 10:18:27AM -0600, Chris Adams wrote:
>> I don't know about the SRX, but I know with the SSG, the ScreenOS
>> default timeout for TCP sessions was way too low (IIRC something like
>> 5 minutes) and would cause that. I turned on SSH keepalives to avoid
>> the timeout.
>
>Yep, the SRX does the same thing with regards to timeouts. The timeout
>is 30 minutes for SSH by default, but you can extend it to longer by
>adding a custom inactivity-timeout to the junos-ssh application:
>
>{primary:node0}
>prox at orb> show configuration applications
>application junos-ssh inactivity-timeout 3600;
Does junos-ssh applies to any ssh traffic - the one to the srx itself, and
the one to the servers behind an SRX firewall?
>Alternatively, you can set the tcp-rst option on the appropriate
>zone(s), which will cause SSH sessions to disconnect immediately when
>data is sent over an SSH session that's timed-out already:
>
>{primary:node0}[edit]
>prox at orb# show security zones security-zone trust
>tcp-rst;
>[...]
I'll try that.
Thanks :)
Mjb
More information about the juniper-nsp
mailing list