SSH sessions going through the ProxySG are timing out

book

Article ID: 166936

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

SSH sessions going through the ProxySG are timing out

This happens when an SSH client is logged into a device and no network activity occurs for 300 to 900 seconds.  The result is the connection is closed. 

The SSH client is configured to use proxy via the HTTP Proxy setting, and connect to device going through proxy.  The client to proxy is SSH over HTTP (CONNECT on port 22), and proxy to upstream is plain SSH (TCP Tunnel).  After the connection has been idle for 300-900 secs the firewall closes the connection to proxy and proxy then closes the connection with client.

In SGOS 4.2.8.3, the observed behavior is the ProxySG sends TCP-Keep alive at every 120 seconds and the connection stays open.  However, in latest SG OS 5.x, that is not the observed behavior.  The proxy does not send a TCP-Keep alive upstream because client did not send any keep alive packets.  This is expected behavior in latest SGOS 5.x.

Resolution

You can work around the issue by doing the following items:

1. You can configure the SSH client (for example in PuTTY -> Connection) to send keep alive packets.  For intercepted traffic, configure PuTTY to send NULL character packets to keep the connection alive.  You will also need to set the "Seconds between keepalives" to a non-zero value, such as 120.  For non-intercepted traffic you can configure to send plain tcp-keep alive messages.  In this particular case it is considered intercepted traffic since the traffic is going through a TCP tunnel on the proxy and not being bypassed.

2.  For non-intercepted traffic, you could also configure global settings on the ProxySG to send tcp-keepalive upstream.  By default this functionality is disabled.  This is done by going into the command line interface.  Here are the commands to set it up:

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)tcp-ip bypass-keep-alive enable
  ok
ProxySG#(config)exit
ProxySG#