Solved

Telnet/SSH session gets hanged

Posted on 2006-11-02
14
1,927 Views
Last Modified: 2013-12-27
Hello Experts,

We recently migrated our network from Frame Relay to MPLS. After the migration, we are facing problem with Telnet/SSH session gets hanged when leave it idle for sometime (say 10 to 20 minutes). So everytime we need to reconnect to the server or we need to keep the session active always by pressing some key.
To resolve this issue, we have escalated to our ISP but they couldn't find any problem with the WAN link. Now I'm wondering will there be any settings in the Unix servers which causes this problem or is there anyway to make the telnet/ssh session active for a longer time. The netconfig settings of one of the server is given below. These settings hasn't done by me but I can modify if any change is required. Please let me know what are all the other parameters I need to check with respect to this issue.

> cat netconfig
#!/sbin/sh
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/tcp tcp_strong_iss 2
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip6_forward_src_routed 0
ndd -set /dev/tcp tcp_rev_src_routes 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_ip_abort_cinterval 60000
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/arp arp_cleanup_interval 60000
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip6_ignore_redirect 1
ndd -set /dev/ip ip_forwarding 0
ndd -set /dev/ip ip6_forwarding 0
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/ip ip6_strict_dst_multihoming 1
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip6_send_redirects 0

> uname -a
SunOS corpldap2 5.9 Generic_112233-04 sun4u sparc SUNW,Ultra-250

Note: We can't do patch updation as it will affect some of the applications like Ingress.


Thanks,
Ashok


0
Comment
Question by:rdashokraj
  • 8
  • 3
  • 2
  • +1
14 Comments
 
LVL 3

Expert Comment

by:jhartzen
ID: 17857796
In my experience, this is probably a new firewall in the network which drops the session when it has been idle for too long. You could also check your shell TMOUT or TIMEOUT variables.

To test this, login remotely, and type "vi /tmp/dymmyfile", then leave the vi open and the session un-attended for 30 minutes.  If it is hanging after this time, you have a network problem.  If the session is still active, then the shell is timing out.

I hope this helps you on your way to finding the cause of the problem!
0
 

Author Comment

by:rdashokraj
ID: 17858399
Jhartzen,

As per your suggestion, I tested it by kept opening a file for more than 30 minutes, it DOESN'T hang. The session was still active. Now what to do? I checked the shell variable TMOUT and TIMEOUT but shows NULL value.

# echo $TMOUT

# echo $TIMEOUT

#

Thanks,
Ashok
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17858503
If you're using OpenSSH, I'd suggest using ServerAliveInterval in the ssh_config file to instruct the SSH client to periodically send a keep-alive packet to the server.
0
 

Author Comment

by:rdashokraj
ID: 17859109
PsiCop,  Is there any option available to make Telnet session to send keep-alive packets so as to keep the session active ?   Because many of our users are connecting through Telnet only.
0
 

Author Comment

by:rdashokraj
ID: 17859370
As per Jhartzen suggestion, I did VI testing in one other server. i.e opened a dummy file using VI editor and kept it idle for  about 45 minutes. Now the session got HUNGED. As per Jhartzen conclusion, if the VI session gets hunged, its a NETWORK ISSUE. Now how can I ensure that its NOT a system problem?  We maynot find the actual cause of this problem but atleast we want to know where the problem lies ?  IN SYSTEM OR NETWORK.

Please advice. Thanks.

0
 
LVL 34

Assisted Solution

by:PsiCop
PsiCop earned 150 total points
ID: 17859377
Using both telnet and SSH is like having a steel-framed security door on the front of your house, and having a flimsy hollow-core door with exposed lock and hinges on the rear entrance. It's almost 2007 - unless you're in a closed network environment (and it doesn't sound like you are) you shouldn't be allowing raw telnet in to your servers anyway.

No, offhand, I'm not aware of any telnet clients that offer that level of configurability. Have them use SSH and close down telnet access.
0
 

Author Comment

by:rdashokraj
ID: 17859427
PsiCop, I agree to you. This is there in my mind always. Let me try my best to bring out a policy to make all the users to use only SSH session and close all the telnet ports in the live servers.  Btw I'm leaving for the day now and I hope that I will get a solution by tomorrow. Have a nice day. Thanks. Bye.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Accepted Solution

by:
jhartzen earned 200 total points
ID: 17860842
Hi again rdashokraj,
I agree, as per PsiCop, your next step is to test using an SSH client with a keep-alive option set.  The Windows version of PuTTY supports this option, it is called "TCP KeepAlive" and can be found in the options section called "Connection". This option will cause some network activity (but no shell activity) to prevent the session from expiring on firewalls/gateways en-route to the server.  Even if you can't get a telnet solution, this will still re-enforce the suspicion that it is a network related issue.

Just to be double-sure, open a vi session (to prevent the shell from causing a timeout) and enable TCP keepalive packets, then leave it open and see what happens.  You could even open up two sessions simultaneously with different settings in order to compare the results.

Good Luck
  _j
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 150 total points
ID: 17861246
The problem you have will be with timeouts.  There are 3 possibilities:

1.  Get your ISP to change their firewall/router settings.
2.  Use keepalives from your ssh/telnet client
3.  Set TCP keepalives on the Solaris side.
 
0
 

Author Comment

by:rdashokraj
ID: 17865468

Thanks for all your advice and suggestions. We are still working with ISP to resolve this issue. Now we have changed our QOS (Quality of Service) in the firewall in such a way to give high priority to the Telnet and SSH traffic and asked the users to check. We are waiting for their result now.
0
 
LVL 3

Expert Comment

by:jhartzen
ID: 17866256
I doubt that QOS settings will affect TCP session timeout, but let us know the outcome.
0
 

Author Comment

by:rdashokraj
ID: 17871923
We will come to know the result by monday. Thanks.
0
 

Author Comment

by:rdashokraj
ID: 17902601
Even after 3 days working with ISP, the users are still facing the Telnet Termination problem. The issue is that we couldn't conclude at what time the connection terminates. Its happens after 30 minutes, sometimes after 1 hour and sometimes after 2 hour. FYI: The users are using the "Reflection" as the client software.
Making all the users to switch over to SSH or other client software is an option but its not an easy task to implement. Bcoz there are around 2000 users and are non-technical. Not sure how to resolve this ???
0
 

Author Comment

by:rdashokraj
ID: 17924169
Changing QOS doesn't fix the problem.  Atlast we resolved it by switching over all the Reflection clients (around 2000) to use SSH connection instead of Telnet and made necessary settings in the ssh_config file of all the servers they connect. We prepared a memo on SSH connection and distributed to all the users. It may take sometime for them to get used to this SSH settings. Now things looks to be fine. No connection termination reported till now. Anyways, this helped us to make our users to switch over to SSH connection and say 'goodbye' to Telnet which they are using for ages.

Btw thanks for all your suggestions and ideas.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now