Why does my ssh timeout vary with network location?
Solution 1
There is a good writeup on this problem here.
They recommend:
ssh -o TCPKeepAlive=yes
or:
ssh -o TCPKeepAlive=no -o ServerAliveInterval=15
However, I do have an issue at my work site where I get disconnected from sessions, where at home they are fine. I believe my firewall (SonicWall) may be flucking with TCPKeepAlive, maybe because of NAT.
My SSH client, SecureCRT, fortunately has an option for a "NO-OP" protocol, which I believe basically sends a command that doesn't do anything to the server. By manually enabling this I am able to remain connected. Not sure what the MacOSX terminal client has that is similar to that. There is a writeup on how to implement "NO-OP" on command line.
Finally, you may wish to use Wireshark or other sniffer to watch your actual TCP connection to find out what is going on with it. That would be the final way to see why it is still disconnecting occasionally.
Solution 2
This is probably because when your are connecting from home you pass through a firewall that close TCP session after a small amount of time. But TcpKeepAlive should avoid this. Did you enabled TcpKeepAlive on client side or on server side ?
Solution 3
I get this all the time on my Comcast connection. The problem is that your SSH client's keep-alive interval is too long for the timeout configured in your network path. If you're on Linux, you can modify the ServerAliveInterval
and ServerAliveCounter
values to be lower than their defaults. This value is set in seconds. The system-wide config file is found (generally) in /etc/ssh/ssh_config
. Setting those two AND TcpKeepAlive
should help keep your connection going.
Solution 4
Like radius says, some state-full firewalls do 'forget' a connection after certain (usually configurable) time and will not allow further communication for the connection; they expect the connection to start with a TCP SYN (i refer to your SSH communication here).
There is another possibility. The network path between your home and office may have losses (of the packet kind). When you try to type on the SSH client, if your link has stalled for a while, the client might give up and fail.
Keepalive configuration on the client will handle the first case here but cannot help in the second case. The firewall would usually be at your office perimeter and therefore might be configurable. That would also help on the first point.
To check if you are having intermittent link losses you could keep a 'ping' active in the background from your client machine.
Related videos on Youtube
gareth_bowles
Updated on September 17, 2022Comments
-
gareth_bowles over 1 year
When I'm ssh'ed into one of our office servers (which run Fedora 10) from home, my session times out after a fairly short period of activity (5 minutes or so). I've tried using
TcpKeepAlive
on the client side, to no effect.The thing I don't understand is that if I'm in the office on the company LAN, I can leave a session inactive all day without it timing out, so the behaviour seems to be dependent on my location.
Any ideas why this is happening and how to prevent timeouts when I'm not on the LAN ? I'm using the Terminal client on Mac OSX if that helps.
UPDATE - Dave Drager's suggestion of using the
ServerAliveInterval
set to non-zero withTcpKeepAlive=no
worked for me. Regarding some of the other answers, theClientAlive
... settings aren't accepted by the Mac OSX SSH client. -
gareth_bowles almost 15 yearsI did the TcpKeepAlive on the client side (in my ~/.ssh/config) - I thought this would address local firewall issues, but it still times out.
-
radius almost 15 yearsBy default it's "on" on the server side, but check the sshd_config to see if it has not been disabled.
-
TomOnTime almost 15 yearsSome firewalls disconnect a TCP connection after a certain amount of time EVEN if they aren't idle.
-
TomOnTime almost 15 yearsSome firewalls disconnect a TCP connection after a certain amount of time EVEN if they aren't idle. The way to detect this is to see if you get disconnected consistently.
-
Matt Simmons almost 15 yearsHere are the settings I used to fix: TCPKeepAlive no, ClientAliveInterval 300, ClientAliveCountMax 3
-
gareth_bowles almost 15 yearsThanks, Dave - the ServerAliveInterval option worked great.
-
Jonathan Day over 12 years@Dave I had heard that some server admins frown on this practice as it can be either (a) security risk, or (b) unwarranted server load. Are either of these concerns valid, IYHO?
-
Dave Drager over 12 yearsThis is a setting on the client endpoint, so although if you are in a hostile environment this might add to the ability for someone to spoof you, it is very highly unlikely to make an impact on the security of the connection. I can't really see this causing extra load, either.
-
Dan Dascalescu almost 9 yearsThis fix worked for PuTTY as well. The only option I had to set was in Connection -> Seconds between Keepalive: 15. SSH session has been alive and well for over 8 hours (Comcast), while it would usually disconnect in <30 minutes.