CISCO ASA, 5510 - SSH CONNECTIONS DROPPING / SETTING UP PING

Newly installed CISCO ASA 5510, finding that SSH / Telnet connections to our remote servers are dropping from client terminals...
I was going to set up a ping to monitor but the echo is not set up.

I would like to set up echo’s on the outside interface along with replies from inside to outside requests.
These are the access lists I have currently.

access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host xxx.xxx.x.25 eq www
access-list outside extended permit tcp any host xxx.xxx.x.25 eq https
access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp
access-list outside extended permit tcp any host xxx.xxx.x.25 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.26 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.20 eq 3389
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.25
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.26
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.20


Also dns lookups have slowed……

Thanks for your help
LVL 1
FlyingFortressAsked:
Who is Participating?
 
Markus BraunCEOCommented:
yes, i have had the problem with some of my customers too.
depending on your load on the firewall,
try this
timeout conn 2:00:00 half-closed 0:30:00

if thats not enough, double the half closed
problem is, if there is no traffic during that time, the session will drop again (like lunch break or such)
you dont want it to be too high if you have alot or traffic,
if its not enough, try adding 30 min to the conn timeout and 10 min to the 1/2 closed step by step and
watch you RAM usage on your ASA
At one customer i had it on 3h conn and 1h 1/2 closed,
If possible, ask the Unix guys to add some sort of keepalive to their program if possible.
see if the timers ease up on your timeout problem, but other than that, since Unix wasnt buildt for internet connectivity, there is little you can do....
0
 
Pete LongTechnical ConsultantCommented:
add inspect icmp to your default map

i.e

Policy-map global_policy
class inspection_default
inspect icmp
0
 
collins23Commented:
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
FlyingFortressAuthor Commented:
Thanks the ping responses are working thanks - Do you have any clues to why our SSH connections keep dropping?......

We have circa 25 client connections through the firewall.

Is this anything to do with the outside interface subnet?

interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx158 255.255.255.248


!
0
 
FlyingFortressAuthor Commented:
If our domain controller is issuing DNS through dhcp does the firewall need DNS entries?
0
 
collins23Commented:
allow port 22 through firewall.
0
 
collins23Commented:
I think the firewall should have DNS entries for your ISP. and your internal DHCP / DNS should be configured to forward queries for non internal domains to the firewall .
0
 
InteraXCommented:
D the SSH connection stay established for a period of time? Are they active or inactive most of the time? I'm thinking that they may be affected by timeouts if they are inactive for periods of time.
0
 
FlyingFortressAuthor Commented:
Ah ok so our domain controller should give the LAN ip of the firewall 192.168.51.1?

Just looking at allowing the port 22 through the firewall
the only access list I have are ones that specify particular spare Public IP's

access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp

Would i do this
access-list outside extended permit tcp any host eq 22

Thanks
0
 
FlyingFortressAuthor Commented:
This could be something - the activity on the interfaces the customer service team is intermittent as they use multiple systems – Is there a work around?


Cheers
0
 
FlyingFortressAuthor Commented:
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
0
 
InteraXCommented:
Which SSH client? They could try setting the TCP Keepalive option in their clients.
0
 
FlyingFortressAuthor Commented:
We also use port 23 telnet heavily is this handled in the same way?  
0
 
FlyingFortressAuthor Commented:
Sure there are settings for this so i am going to test thanks. So there are no formal settings for the firewall to keepalive the connections also?
0
 
InteraXCommented:
You inactive timeout for connected sessions is 1 hour. This can be extended, but would potentially increase the timeout for everything not listed elsewhere and potentially increase memory usage.

timeout conn 1:00:00
0
 
collins23Commented:
yes, that access list should work for you.

Hmm.. just to clarify

DHCP should give out a DNS setting of your internal DNS server

then in this DNS server configuration under forwarders is where you put the LAN ip of the firewall
0
 
FlyingFortressAuthor Commented:
Ok,

So currently we have our domain controller as the DHCP server which issues the actual DNS entries.

ip – 192.168.51.100
sn – 255.255.255.0
dg – 192.168.51.1

dns servers
xxx.xxx.xx.30
xxx.xxx.xx.31

Looking at the server the forwarders are set to the above – if I change these to the internal ip of the firewall will I have to activate dns on the inside and outside interface?

As currently it is only on the outside interface..

Thanks

0
 
collins23Commented:
If this setup is working for you then leave as is.

otherwise you have to allow dns queries to the firewall from internal.
0
 
FlyingFortressAuthor Commented:
I tried changing the forward lookups to the firewall for a test and enabled the dns lookup on the outside and inside interface but it practically ground to a halt...

I think I have tried that before with the same result.
0
 
InteraXCommented:
Cisco firewalls cannot run DNS servers, even as a proxy.

Your clients DNS servers should be set to you internal DCs.

Your DC's should have their IP stack DNS servers set to one of the DCs as primary and if you have more, another as the secondary. eg. server a is primary for all dc's, server b is secondary for all DCs, server c is tertiary for all DCs etc...

The DNS Server software should be set to forward to your ISP's DNS servers.

The forewall cannot run the keepalives for you.
0
 
FlyingFortressAuthor Commented:
Understood.
The ASA has the DNS settings enabled on the outside interface - are these required at all?

Thanks
0
 
collins23Commented:
are you able to perform DNS queries to your ISPs DNS servers from the DC ?
0
 
FlyingFortressAuthor Commented:
Yes 100%.

When you write mem on an ASA does that temporarily disconnect from the gateway?
0
 
collins23Commented:
dnt this so..
0
 
collins23Commented:
write mem only saves the config
0
 
InteraXCommented:
As soon as the config is entered on the command line, it is running on the device. When you mention that it has the DNS settings enabled on the outside, do you mean it is querying an external DNS server for resolution. This should not cause any problems, but you may prefer to use an internal server so that you can resolve internal addresses.
0
 
FlyingFortressAuthor Commented:
Ok thanks,

So i can disable the DNS on the outside interface and enable the inside interface to lookat at the DC internal IP?..

Thanks
0
 
InteraXCommented:
Ys, you should be able to disable the DNS lookup on the outside interface and enable on the inside int.
0
 
Markus BraunCEOCommented:
And on a security note, DNS and Firewalls should not be in 1 sentence together.
Only with IP addresses you know where your traffic goes.
DNS can be manipulated, spoofed etc etc,
Therefor using a firewall to lookup IP's it is using, is very unsecure
So NO DNS resolution in your firewall.

On your problem,

it is most likely here
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
is the telnet and ssh you use related to AS400/Unix systems?
They usually dont send keep alives and have bad IP/TCP habits e.g. keeping half open connections
and they will timeout in 10 min - you can set them higher but then everything else will be on that timer too and memory could be a problem if there is alot of connections on your line cause they will all stay open till the timer runs out
0
 
FlyingFortressAuthor Commented:
Understood.
Yes the telnet and SSh connections are related to Unix shipping systems.

Can the time out be put a little higher as a balance?

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.