Sunday, September 22, 2013

Fixing SSH timeouts on the ASA

I spent a bunch of time getting my head around class maps, policy maps, and service policies, in an effort to correct the issue of idle SSH connections being timed out after an hour (the default idle timeout for TCP connections on the ASA at version 9.1). The documentation is a confusing web of headache, but I found this blog post to be useful reading. My solution was to leave the timeout unchanged, but to enable Dead Connection Detection for SSH connections. Essentially, when an idle SSH connection hits the threshold, the ASA forges a packet to the endpoints to verify that the socket is still open. If there is a response, the idle timer is reset.

access-list ssh_ports remark access list to id ssh traffic for the ssh_ports class map
access-list ssh_ports extended permit tcp any any eq ssh 
access-list ssh_ports extended permit tcp any any eq 2222
class-map ssh_traffic
 description identify SSH traffic, so we can apply policy
 match access-list ssh_ports
policy-map generic_interface_policy
 class ssh_traffic
  set connection timeout dcd 
service-policy generic_interface_policy interface outside
service-policy generic_interface_policy interface inside

No comments:

Post a Comment