Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

CISCO ASA, 5510 - SSH CONNECTIONS DROPPING / SETTING UP PING

Posted on 2010-09-14
31
Medium Priority
?
1,921 Views
Last Modified: 2013-11-16
Newly installed CISCO ASA 5510, finding that SSH / Telnet connections to our remote servers are dropping from client terminals...
I was going to set up a ping to monitor but the echo is not set up.

I would like to set up echo’s on the outside interface along with replies from inside to outside requests.
These are the access lists I have currently.

access-list inside_access_in extended permit ip any any
access-list outside extended permit tcp any host xxx.xxx.x.25 eq www
access-list outside extended permit tcp any host xxx.xxx.x.25 eq https
access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp
access-list outside extended permit tcp any host xxx.xxx.x.25 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.26 eq 3389
access-list outside extended permit tcp any host xxx.xxx.x.20 eq 3389
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.25
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.26
access-list server_ext extended permit ip 192.168.51.0 255.255.255.0 host xxx.xxx.x.20


Also dns lookups have slowed……

Thanks for your help
0
Comment
Question by:FlyingFortress
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 9
  • 6
  • +2
31 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 400 total points
ID: 33672231
add inspect icmp to your default map

i.e

Policy-map global_policy
class inspection_default
inspect icmp
0
 
LVL 6

Expert Comment

by:collins23
ID: 33672280
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672368
Thanks the ping responses are working thanks - Do you have any clues to why our SSH connections keep dropping?......

We have circa 25 client connections through the firewall.

Is this anything to do with the outside interface subnet?

interface Ethernet0/0
 description Gateway
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx158 255.255.255.248


!
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672379
If our domain controller is issuing DNS through dhcp does the firewall need DNS entries?
0
 
LVL 6

Expert Comment

by:collins23
ID: 33672447
allow port 22 through firewall.
0
 
LVL 6

Expert Comment

by:collins23
ID: 33672463
I think the firewall should have DNS entries for your ISP. and your internal DHCP / DNS should be configured to forward queries for non internal domains to the firewall .
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33672543
D the SSH connection stay established for a period of time? Are they active or inactive most of the time? I'm thinking that they may be affected by timeouts if they are inactive for periods of time.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672557
Ah ok so our domain controller should give the LAN ip of the firewall 192.168.51.1?

Just looking at allowing the port 22 through the firewall
the only access list I have are ones that specify particular spare Public IP's

access-list outside extended permit tcp any host xxx.xxx.x.25 eq ftp

Would i do this
access-list outside extended permit tcp any host eq 22

Thanks
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672594
This could be something - the activity on the interfaces the customer service team is intermittent as they use multiple systems – Is there a work around?


Cheers
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672600
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33672639
Which SSH client? They could try setting the TCP Keepalive option in their clients.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672641
We also use port 23 telnet heavily is this handled in the same way?  
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672654
Sure there are settings for this so i am going to test thanks. So there are no formal settings for the firewall to keepalive the connections also?
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33672663
You inactive timeout for connected sessions is 1 hour. This can be extended, but would potentially increase the timeout for everything not listed elsewhere and potentially increase memory usage.

timeout conn 1:00:00
0
 
LVL 6

Assisted Solution

by:collins23
collins23 earned 300 total points
ID: 33672666
yes, that access list should work for you.

Hmm.. just to clarify

DHCP should give out a DNS setting of your internal DNS server

then in this DNS server configuration under forwarders is where you put the LAN ip of the firewall
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33672764
Ok,

So currently we have our domain controller as the DHCP server which issues the actual DNS entries.

ip – 192.168.51.100
sn – 255.255.255.0
dg – 192.168.51.1

dns servers
xxx.xxx.xx.30
xxx.xxx.xx.31

Looking at the server the forwarders are set to the above – if I change these to the internal ip of the firewall will I have to activate dns on the inside and outside interface?

As currently it is only on the outside interface..

Thanks

0
 
LVL 6

Expert Comment

by:collins23
ID: 33672830
If this setup is working for you then leave as is.

otherwise you have to allow dns queries to the firewall from internal.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33673018
I tried changing the forward lookups to the firewall for a test and enabled the dns lookup on the outside and inside interface but it practically ground to a halt...

I think I have tried that before with the same result.
0
 
LVL 16

Assisted Solution

by:InteraX
InteraX earned 300 total points
ID: 33680082
Cisco firewalls cannot run DNS servers, even as a proxy.

Your clients DNS servers should be set to you internal DCs.

Your DC's should have their IP stack DNS servers set to one of the DCs as primary and if you have more, another as the secondary. eg. server a is primary for all dc's, server b is secondary for all DCs, server c is tertiary for all DCs etc...

The DNS Server software should be set to forward to your ISP's DNS servers.

The forewall cannot run the keepalives for you.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33680317
Understood.
The ASA has the DNS settings enabled on the outside interface - are these required at all?

Thanks
0
 
LVL 6

Expert Comment

by:collins23
ID: 33680333
are you able to perform DNS queries to your ISPs DNS servers from the DC ?
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33680337
Yes 100%.

When you write mem on an ASA does that temporarily disconnect from the gateway?
0
 
LVL 6

Expert Comment

by:collins23
ID: 33680349
dnt this so..
0
 
LVL 6

Expert Comment

by:collins23
ID: 33680351
write mem only saves the config
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33680573
As soon as the config is entered on the command line, it is running on the device. When you mention that it has the DNS settings enabled on the outside, do you mean it is querying an external DNS server for resolution. This should not cause any problems, but you may prefer to use an internal server so that you can resolve internal addresses.
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33680596
Ok thanks,

So i can disable the DNS on the outside interface and enable the inside interface to lookat at the DC internal IP?..

Thanks
0
 
LVL 16

Expert Comment

by:InteraX
ID: 33681896
Ys, you should be able to disable the DNS lookup on the outside interface and enable on the inside int.
0
 
LVL 5

Expert Comment

by:Markus Braun
ID: 33699525
And on a security note, DNS and Firewalls should not be in 1 sentence together.
Only with IP addresses you know where your traffic goes.
DNS can be manipulated, spoofed etc etc,
Therefor using a firewall to lookup IP's it is using, is very unsecure
So NO DNS resolution in your firewall.

On your problem,

it is most likely here
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
is the telnet and ssh you use related to AS400/Unix systems?
They usually dont send keep alives and have bad IP/TCP habits e.g. keeping half open connections
and they will timeout in 10 min - you can set them higher but then everything else will be on that timer too and memory could be a problem if there is alot of connections on your line cause they will all stay open till the timer runs out
0
 
LVL 1

Author Comment

by:FlyingFortress
ID: 33699570
Understood.
Yes the telnet and SSh connections are related to Unix shipping systems.

Can the time out be put a little higher as a balance?

Thanks
0
 
LVL 5

Accepted Solution

by:
Markus Braun earned 1000 total points
ID: 33699672
yes, i have had the problem with some of my customers too.
depending on your load on the firewall,
try this
timeout conn 2:00:00 half-closed 0:30:00

if thats not enough, double the half closed
problem is, if there is no traffic during that time, the session will drop again (like lunch break or such)
you dont want it to be too high if you have alot or traffic,
if its not enough, try adding 30 min to the conn timeout and 10 min to the 1/2 closed step by step and
watch you RAM usage on your ASA
At one customer i had it on 3h conn and 1h 1/2 closed,
If possible, ask the Unix guys to add some sort of keepalive to their program if possible.
see if the timers ease up on your timeout problem, but other than that, since Unix wasnt buildt for internet connectivity, there is little you can do....
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question