CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: dropped ssh connections

  1. #1
    Join Date
    2005-11-04
    Posts
    45
    Rep Power
    0

    Default dropped ssh connections

    Does anyone know why my SSH connections keep dropping? I frequently maintain open SSH connections with port forwarding to an SSH server sitting behind my Checkpoint FW-1/VPN-1 Smalloffice FP3. In more times than I can remember the connection would simply die. I've tried setting KEEP_ALIVES between the SSH client and the SSH server to less than 30 seconds, but it hasn't made much of a difference. Is there something within Checkpoint that I can tweak to fix this?

  2. #2
    Join Date
    2006-04-30
    Location
    Europe, Germany
    Posts
    433
    Rep Power
    14

    Default Re: dropped ssh connections

    do you see any drops at the firewall (out of state ...)
    which ssh version client/server ?

    If you have a newer ssh server/client try ClientAliveInterval/ClientAliveCountMax (ssh2 only) instead TCPKeepAlive.
    The different is in the detail TCPKeepAlive is outside the ssh connection where ClientAliveInterval is inside the tunnel.

    Take a look at the ssh_version_2 object the default timeout is 3600s, you can create an new object say ssh_ver2_wto and set the timout to a higher limit.

  3. #3
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: dropped ssh connections

    The big question is, is there any consistency in the timing of when your connections die? If so then its most likely tweakable. If not then it's more likely a network connectivity related problem (ie packetloss).

  4. #4
    Join Date
    2005-11-04
    Posts
    45
    Rep Power
    0

    Default Re: dropped ssh connections

    I don't know if it's packet loss or whether there is a certain time that it stops working. I would seem to be no specific pattern.

    I could never fully catch the out of state, dropped packets in the logs.
    It just happens.

    My ssh is OpenSSH 3.7.1p2 running on Cygwin on Windows 2000 server. I am only running SSH2.
    I looked at the /etc/SSHD_CONFIG file and ClientAliveInterval was set to 3600

    Under Checkpoint's Global Properties/Stateful Inspection menu, I changed the Default Session Timeout settings a bit.

    TCP Start Timeout: 120 seconds
    TCP Session Timeout: 3600 seconds
    TCP End Timeout: 60 seconds

    I don't know if this helps. So far the connection has been on since last evening without going down. What do you think?

  5. #5
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: dropped ssh connections

    I could never fully catch the out of state, dropped packets in the logs.
    It just happens.
    You most certainly wouldn't see these log entries mainly because they never get there to be logged.

    on Windows 2000 server.
    Problem #1 ;) Is it only with this server you had a problem?

    TCP Session Timeout: 3600 seconds
    I think that's the big one, at least as far as connecting to an ssh server goes and then going idle w/a client. Was it less then 3600 before? (I don't know what the default is) How has the connection been since you posted?

  6. #6
    Join Date
    2005-11-04
    Posts
    45
    Rep Power
    0

    Default Re: dropped ssh connections

    No this SSH closeout issue occurs with another setup I have, involving Smoothwall. The SSH session would shut down on a machine sitting behind Smoothwall. I suppose there could be settings that would be tweaked there as well.

    Checkpoint's TCP Session Timeout was always at 3600, the other parameters were different.
    All I did was increase them a little. In addition I set the SSH2 keepalives to 5 seconds.
    The connection now "seems" stable although it had gone down once between now and the last time I wrote on here. I say seems because I'm still a bit doubtful at this point.

    I still say a site-site VPN would be a much better way than this SSH connection.
    I only created this SSH remote port forwarding situation because the site Admin was too slow in assisting me. I had to set up a quick VPN that would gain me access to the machine sitting behind the firewall.

  7. #7
    Join Date
    2005-11-21
    Posts
    3
    Rep Power
    0

    Default Re: dropped ssh connections

    If the connection is dropping out of the connection table you should see an entry in the logs saying drop because first packet isnt SYN.

    Should be quite easy to see.

Similar Threads

  1. Replies: 16
    Last Post: 2008-01-04, 07:26
  2. SMTP Dropped
    By godonga in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2007-07-30, 11:54
  3. Novell NCP dropped by fw
    By dr-spoof in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 0
    Last Post: 2007-03-01, 15:31
  4. VPN traffic being dropped
    By rubber_chicken in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2006-10-10, 20:07
  5. dropped by fwconn_memory_check
    By jabberw0cky in forum Miscellaneous
    Replies: 2
    Last Post: 2006-06-28, 13:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •