[NCLUG] ssh timeout - More info...

Mark Fassler fassler at monkeysoft.net
Fri Mar 2 13:44:16 MST 2001


The firewall route:
-------------------

To change the TCP timeout on the masquerading on your firewall:

    ipchains -M -S 7200 120 300

This will set TCP timeout to 7200 seconds (2 hours) TCPFin timeout to 120 
seconds (2 minutes) and udp timeout to 300 seconds (5 minutes).

I think the default is 900 120 300  (15 minutes, 2 minutes, 5 minutes)

For connections that spend a long time idle, you probably want the timeout 
to be in the neighborhood of 2 hours (or slightly longer).


The Application route:
----------------------

If you want something to have an infinite idle time, you'll still need 
keep-alives.

It turns out that KeepAlive is broken in OpenSSH 2.3.  You'll probably 
want to upgrade to 2.5.  

The keep_alive time for the kernel is in 
/proc/sys/net/ipv4/tcp_keepalive_time.  This is set to 7200 seconds by 
default (2 hours).  So if you simply turn KeepAlive on without adjusting 
anything, it still won't work.

2 options:  
 - you can make the TCP timeout on your firewall last longer than 
   two hours (as well as turning on KeepAlive in ssh)  

 - or you can make the tcp_keepalive_time on the client or server be 
   shorter (as well as turning on KeepAlive in ssh).

To set tcp_keepalive_time to be 5 minutes just do:
echo 300 >/proc/sys/net/ipv4/tcp_keepalive_time

(note that the kernel doesn't seem interested in making the keepalives be 
any shorter than 90 seconds or so...)

--
Mark Fassler
fassler at monkeysoft.net



More information about the NCLUG mailing list