I spent a bunch of time getting my head around class maps, policy maps, and service policies, in an effort to correct the issue of idle SSH connections being timed out after an hour (the default idle timeout for TCP connections on the ASA at version 9.1). The
documentation is a confusing web of headache, but I found
this blog post to be useful reading. My solution was to leave the timeout unchanged, but to enable Dead Connection Detection for SSH connections. Essentially, when an idle SSH connection hits the threshold, the ASA forges a packet to the endpoints to verify that the socket is still open. If there is a response, the idle timer is reset.
access-list ssh_ports remark access list to id ssh traffic for the ssh_ports class map
access-list ssh_ports extended permit tcp any any eq ssh
access-list ssh_ports extended permit tcp any any eq 2222
class-map ssh_traffic
description identify SSH traffic, so we can apply policy
match access-list ssh_ports
policy-map generic_interface_policy
class ssh_traffic
set connection timeout dcd
service-policy generic_interface_policy interface outside
service-policy generic_interface_policy interface inside
No comments:
Post a Comment