Re: SSH Dropping Connections



It is important to determine whether the dropouts are happening during
periods of inactivity, or when actively using the connection.

If dropouts happen during periods of inactivity, then some system, router,
etc., in the chain may be configured to drop connections that are inactive
for some period of time, call it "x" seconds. Obviously this is not a good
idea for many terminal emulation environments. But with many SSH clients,
such as Putty (as explained below) or our Anzio product, you can configure
them to send a "do-nothing" packet every "y" seconds. As long as y is less
than x, this will fool the device into thinking the session is active, and
keep it running.

On the other hand, if dropouts happen randomly, it means there is a poor
quality TCP/IP connection. In this case, it can HURT to have a keep-alive,
as follows. If the session drops temporarily, then is restored, the
connection can stay active, UNLESS some traffic occurs; when traffic
occurs, one or both ends learn that the connection has dropped, and they
close their end. The keep-alive can actually cause this to happen.
Conversely, if a keep-alive is NOT set, all remains quiet, the drop is
undiscovered, and by the time you actually use the connection it might be
re-established. If dropouts continue to happen, your only recourse, I
think, is to complain to the service provider.

On Tue, 4 Sep 2007, Nathalie Vaiser wrote:

Hi Hari,

In Putty you can set a keep-alive setting (under Connection in the settings),
I set mine to 60 seconds and this prevents most dropped connections.


Nathalie



Hari Sekhon wrote:
Hi,

I have a remote worker who uses SSH tunneling to connect into the office
while on the road. He is running Windows with PuTTY connecting to a Linux
OpenSSH server. He has been reporting that it is extremely unstable and that
the connection drops. However, I and a colleague of mine use this method
regularly and have had no problems.

I suspect that this is simply due to his use of a 3G card which has a very
slow dial-up speed connection, whereas myself and my colleague have
broadband (actually it does drop more when my internet pipe is flooded).

Is there anything I can do to make the connection more tolerant and not
drop?

Or perhaps any advice for further isolating this (bearing in mind the remote
worker is not technical and I don't have access to the laptop at the times
he's on the road...)

This same remote worker was previously using an ipsec vpn with 3des and had
no problems so I suspect that 3des is more forgiving that the ssh
protocol(s) being used for cryptography, although I am aware that ssh can
use several different crypto algorithms, and reading the man page again it
seems that 3des is the default on linux but PuTTY seems to default to AES
first so perhaps it is AES being less forgiving that 3des?

Does anyone know more about the actual AES and 3DES protocol internals, is
AES less tolerant to timing issues because of it's stronger cryptography
(sort of like Kerberos system times being used in the crypto algorithm)?


Any ideas or feedback on this issue?


Thanks

-h





Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@xxxxxxxxx
company e-mail: rsi@xxxxxxxxx
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com



Relevant Pages

  • Re: Timeout Problem after Switching a DAC unit with OSA in the z10
    ... TELNETDEVICE 3278-2-E NSX32702 ... LU application, CICS, and the secondary LU application, the TN3270E server, ... TCP connection supporting the TN3270E connection between the TN3270E ... An INACTIVE timeout value of 0 disables the inactivity timeout. ...
    (bit.listserv.ibm-main)
  • Re: Timeout Problem after Switching a DAC unit with OSA in the z10
    ... which describes the behaviour of a TN3270E concatenation - SNA session to ... TCP connection supporting the TN3270E connection between the TN3270E ... An INACTIVE timeout value of 0 disables the inactivity timeout. ... actually to specify 120 - although I personally am in favour of specifying ...
    (bit.listserv.ibm-main)
  • Re: About OTP and PRNG
    ... So, it is not necessary that the CPU cannot do AES, ... either hardware or faster ciphers in software or faster ciphers in ... If the connection between the machines is insecure, ...
    (sci.crypt)
  • Re: (fedora) vpnc on fedora9 drops frequently
    ... Does it drop the network or only the VPN-connection. ... VPN-servers are configured to drop the connection on inactivity (so they ... All votes are equal but some votes are more equal than others. ...
    (Fedora)
  • SSH Dropping Connections
    ... I have a remote worker who uses SSH tunneling to connect into the office while on the road. ... I suspect that this is simply due to his use of a 3G card which has a very slow dial-up speed connection, whereas myself and my colleague have broadband. ... This same remote worker was previously using an ipsec vpn with 3des and had no problems so I suspect that 3des is more forgiving that the ssh protocolbeing used for cryptography, although I am aware that ssh can use several different crypto algorithms, and reading the man page again it seems that 3des is the default on linux but PuTTY seems to default to AES first so perhaps it is AES being less forgiving that 3des? ...
    (SSH)