Ian Arakel
asked on
Difference between EXEC timeout, SESSION timeout and SSH time-out in CISCO
Hi There.
Kindly explain the exact difference between EXEC timeout, SESSION timeout and SSH time-out in CISCO
I have referred the below link but this does not explain the exact reason for ssh time-out:
https://www.experts-exchange.com/questions/24867484/Cisco-Session-timeout-or-exec-timeout.html
Kindly explain the significance of mode under #sh ssh under router.
Referred the below link but could not relate to my router output:
https://supportforums.cisco.com/discussion/11783091/sh-ssh-session-asa
ROUTER OUTPUT
#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha1 Session started ****
0 2.0 OUT aes256-ctr hmac-sha1 Session started ****
%No SSHv1 server connections running.
#sh users
Line User Host(s) Idle Location
* 2 vty 0 *** idle 00:00:00 10.247.x.x
Interface User Mode Idle Peer Address
#
Kindly explain the exact difference between EXEC timeout, SESSION timeout and SSH time-out in CISCO
I have referred the below link but this does not explain the exact reason for ssh time-out:
https://www.experts-exchange.com/questions/24867484/Cisco-Session-timeout-or-exec-timeout.html
Kindly explain the significance of mode under #sh ssh under router.
Referred the below link but could not relate to my router output:
https://supportforums.cisco.com/discussion/11783091/sh-ssh-session-asa
ROUTER OUTPUT
#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha1 Session started ****
0 2.0 OUT aes256-ctr hmac-sha1 Session started ****
%No SSHv1 server connections running.
#sh users
Line User Host(s) Idle Location
* 2 vty 0 *** idle 00:00:00 10.247.x.x
Interface User Mode Idle Peer Address
#
ASKER
Hi There,
Thanks for your input.
Kindly confirm the need for SSH time out and session timeout if I have exec time out configured that ensures that the console session times out if there in no activity/input from the user.
Thanks for your input.
Kindly confirm the need for SSH time out and session timeout if I have exec time out configured that ensures that the console session times out if there in no activity/input from the user.
When you say "ssh timeout", if you are talk about "ip ssh timeout xx" that is how much time the router will wait for you to enter a valid user-id/password before it times out the connection.
So basically "ip ssh timeout xx" is a login timeout.
So basically "ip ssh timeout xx" is a login timeout.
ASKER
Hi Glitjr,
To summarize
i)
ssh timeout i.e ip ssh time-out x : wait for x amount of time once the session is obtained for use to entire the valid user name and password before kicking him out.
ii)
exec timeout: Wait for x amount of idle time before timing out the user.
'
iii)
session timeout: ???? Exact need for the same if I have both the above configured.
To summarize
i)
ssh timeout i.e ip ssh time-out x : wait for x amount of time once the session is obtained for use to entire the valid user name and password before kicking him out.
ii)
exec timeout: Wait for x amount of idle time before timing out the user.
'
iii)
session timeout: ???? Exact need for the same if I have both the above configured.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tx a lot.
When you use SSH V2 there is a unique encryption key used for "client to server" traffic and for "server to client" traffic. So Cisco uses "IN" and "OUT". So if you are SSH'ing from your computer to the Cisco device, "IN" is the traffic originating from your computer going to the Cisco device. The "OUT" is the traffic going from your Cisco device to your computer. SSH V1 uses the same key in both directions, so if you use SSH V1 it will only show one session.
EXEC vs. Session timeouts:
The way I understand it "EXEC" time out is how long a ENABLE session will sit without any input from the user before it drops you out of ENABLE mode.
SESSION timeout is how long your TCP connection for SSH/TELNET will stay active before the Cisco device will disconnect the TCP connection.