Hung connection over Juniper Tunnel
Chris Adams
cmadams at hiwaay.net
Sat Feb 7 02:48:24 EST 2009
Once upon a time, Damien Miller <djm at mindrot.org> said:
> 1) Long-lived but SSH connections being timed out of NAT/firewall state
> after some period of quiescence. This can be worked around with the
> ClientAliveInterval and ServerAliveInterval controls in ssh_config and
> sshd_config respectively.
IIRC the default ScreenOS TCP session idle timeout is way too short
(something like 30 minutes). Rather than use the OpenSSH keep alives
(which only fixes SSH), you should adjust the firewalls to have a sane
value (IIRC Linux firewall code defaults to 5 days for established TCP
sessions).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the openssh-unix-dev
mailing list