On Wed, Jul 02, 2003 at 07:17:19AM -0400, Steve Coile wrote: > On Tue, 1 Jul 2003, Philip J. Koenig wrote: > > I'm having a problem with premature termination of ssh sessions after > > an idle period of a few minutes, getting a "connection reset by peer" > > message. I presume this is due to intermediate stateful firewalls > > closing the connection when no traffic passes for a period of time. > > Is this a common problem with firewalls? We suffer from this problem > here, also, and I've thought it must be a misconfiguration with the > firewall or elsewhere in the netwrok. But since you mentioend it, > I'm rethinking my assessment. > > Can someone explain why these connections get dropped? The firewall is tracking the state of TCP connections (among others). The information about the state needs some memory, which means that the firewall cannot keep state of an infinite number of connections. After some time the state gets dropped.
A reasonable firewall (such as ipfilter) takes the state of the connection (syn sent, ack sent, open, ...) into account when determining the timeout (eg. with ipfilter the timeout for a partially open connection is (by default) 480s, for an open connection it is 86400s (a week). When a connection is closed, the state is dropped immediately). Unreasonable firewalls don'tm which means that the time before the connection is dropped has to be quite short to prevent the state table from overflowing. Finding the reason for this happenning with NAT is left as an exercise for the reader ;-) m&f -- What do you care what other people think?
Description: PGP signature