Timeout with OpenSSH through firewall - putty ok - with workaround
Hi,
It seems WinSCP does not respond to OpenSSHv2 server's keepalives.
I had an OpenSSHv2 server set up with ClientAliveInterval 60, which was just short enough that it required WinSCP to answer because the server's 60 second keepalive got triggered just before WinSCP's minimum keepalive of 1 minute. And WinSCP didn't respond to the servers keepalive packet properly, it seems, so the server terminated the connection (after 6 minutes of inactivity, in my case).
The workaround was to change the server configuration to ClientAliveInterval 120 so that WinSCP's null-packet timeout got there in time, so the server's timeout mechanism is never used. Of course that requires root access on the remote server...
Putty, which WinSCP is based on, reponds correctly to the server's keepalive packets, it seems...
Sincerely,
Peter
Details:
I'm connecting through NAT and a firewall. The NAT in the firewall (that I can't change) kills TCP sockets if they aren't used, so this had been set in OpenSSH's sshd_config (on a server outside the firewall):
KeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 6
Now the server sends a keepalive every 60 secs, and the client is supposed to respond.
Putty does this but WinSCP does not. After 6 minutes, if I try to do anything, e.g. change directory, I get this error message:
I've looked with SnifferPRO and with Ethereal, and of course it isn't possible to decode SSH, but the following happens every 60 seconds:
The server sends a 122 byte TCP packet from port 22 to the client port. (Keepalive)
Putty responds shortly after with a 90 byte packet (containing 36 bytes of data) and the server responds shortly after that with a 60 byte packet. (Just an ACK?) Putty keeps the connection open indefinitely.
WinSCP, on the other hand, reponds to the servers packet with a 60 byte packet with no data. (Just an ACK?) after 6 minutes, the server sends a packet with the FIN set and then the first time I try to do anything with the GUI, I get the quoted error message above.
For both WinSCP and Putty, I start with a new session enter host and username, and only change the SSH version to "2 only". I also tried the "Use scp2 with scp1 compat." setting and that had the same behavior.
I've also tried with OpenSSH's ssh client and that works fine too. (Haven't traced it though.)
Siffer traces and what the dialog box looks like can be found here for at least a week or two:
<invalid link removed>
(For debugging and tracing, I changed sshd settings to
ClientAliveInterval 10
ClientAliveCountMax 3
)
After that, I tried to change the server settings to
KeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 3
and check WinSCP's "Sending of null packets to keep session alive" and set "Minutes between keepalives" to 1 (winscp_longerServerTimeout.cap). That worked. Now the session is kept up indefinitely.
Software versions:
Clients:
WinSCP: version: 2.2.0 (Build 122)
Putty: 0.53 (no "b")
OS: Windows XP
Server:
OpenSSH_3.4p1
RedHat 8.0
It seems WinSCP does not respond to OpenSSHv2 server's keepalives.
I had an OpenSSHv2 server set up with ClientAliveInterval 60, which was just short enough that it required WinSCP to answer because the server's 60 second keepalive got triggered just before WinSCP's minimum keepalive of 1 minute. And WinSCP didn't respond to the servers keepalive packet properly, it seems, so the server terminated the connection (after 6 minutes of inactivity, in my case).
The workaround was to change the server configuration to ClientAliveInterval 120 so that WinSCP's null-packet timeout got there in time, so the server's timeout mechanism is never used. Of course that requires root access on the remote server...
Putty, which WinSCP is based on, reponds correctly to the server's keepalive packets, it seems...
Sincerely,
Peter
Details:
I'm connecting through NAT and a firewall. The NAT in the firewall (that I can't change) kills TCP sockets if they aren't used, so this had been set in OpenSSH's sshd_config (on a server outside the firewall):
KeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 6
Now the server sends a keepalive every 60 secs, and the client is supposed to respond.
Putty does this but WinSCP does not. After 6 minutes, if I try to do anything, e.g. change directory, I get this error message:
Server sent disconnect message
type 2 (SSH_DISCONNECT_PROTOCOL_ERROR):
"Timeout, your session not responding."
I've looked with SnifferPRO and with Ethereal, and of course it isn't possible to decode SSH, but the following happens every 60 seconds:
The server sends a 122 byte TCP packet from port 22 to the client port. (Keepalive)
Putty responds shortly after with a 90 byte packet (containing 36 bytes of data) and the server responds shortly after that with a 60 byte packet. (Just an ACK?) Putty keeps the connection open indefinitely.
WinSCP, on the other hand, reponds to the servers packet with a 60 byte packet with no data. (Just an ACK?) after 6 minutes, the server sends a packet with the FIN set and then the first time I try to do anything with the GUI, I get the quoted error message above.
For both WinSCP and Putty, I start with a new session enter host and username, and only change the SSH version to "2 only". I also tried the "Use scp2 with scp1 compat." setting and that had the same behavior.
I've also tried with OpenSSH's ssh client and that works fine too. (Haven't traced it though.)
Siffer traces and what the dialog box looks like can be found here for at least a week or two:
<invalid link removed>
(For debugging and tracing, I changed sshd settings to
ClientAliveInterval 10
ClientAliveCountMax 3
)
After that, I tried to change the server settings to
KeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 3
and check WinSCP's "Sending of null packets to keep session alive" and set "Minutes between keepalives" to 1 (winscp_longerServerTimeout.cap). That worked. Now the session is kept up indefinitely.
Software versions:
Clients:
WinSCP: version: 2.2.0 (Build 122)
Putty: 0.53 (no "b")
OS: Windows XP
Server:
OpenSSH_3.4p1
RedHat 8.0
