[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: session timeout

On Thu, Feb 03, 2005 at 08:54:28PM -0800, Tucker Bradford wrote:
> I'm experiencing a very annoying session timeout issue. Its most often 
> noticed when sshing to a host behind the firewall from off site. It 
> doesn't seem to happen when the connection is initiated from another 
> internal network, but that could be due to some bi-directional pass rules.
> In any case, a ssh connection from outside to the DMZ will timeout after 
> 5-10 minutes if idle.
Find out if such ssh connections really time out or are actually reset.
Run tcpdump -nvvvSi $ext_if tcp port 22 (possibly restricting the filter
further so only packets related to the connection in question are
printed) and repeat the test. When the connection stalls or resets, you
should see either peer retransmitting and/or sending a RST.
Watch the state table during the test. When you establish the
connection, you should see a state for the connection (pfctl -vvss). How
does that entry change over the course of the test?
Enable debug logging with pfctl -x m and watch /var/log/messages for pf
related messages (like 'BAD state').
Make sure all your 'pass proto tcp keep state' rules have 'flags S/SA',
i.e. that you always create state on initial SYN packets. Maybe the flag
blocking section should ensure that already, but it's tedious to verify,
so just add 'flags S/SA' to the pass rules as well.
Add 'log' to all 'block' rules (at least temporarily, for the duration
of the test) and check pflog0 for packets blocked during the test.
If either side receives a RST, the question is where that's coming from.
If the connection stalls after several retransmissions without any RST,
the question is why the retransmissions do not go through.