Timeout with OpenSSH through firewall - putty ok - with workaround

Advertisement

pmorch
Guest

Timeout with OpenSSH through firewall - putty ok - with workaround

Hi,

It seems WinSCP does not respond to OpenSSHv2 server's keepalives.

I had an OpenSSHv2 server set up with ClientAliveInterval 60, which was just short enough that it required WinSCP to answer because the server's 60 second keepalive got triggered just before WinSCP's minimum keepalive of 1 minute. And WinSCP didn't respond to the servers keepalive packet properly, it seems, so the server terminated the connection (after 6 minutes of inactivity, in my case).

The workaround was to change the server configuration to ClientAliveInterval 120 so that WinSCP's null-packet timeout got there in time, so the server's timeout mechanism is never used. Of course that requires root access on the remote server...

Putty, which WinSCP is based on, reponds correctly to the server's keepalive packets, it seems...

Sincerely,

Peter

Details:

I'm connecting through NAT and a firewall. The NAT in the firewall (that I can't change) kills TCP sockets if they aren't used, so this had been set in OpenSSH's sshd_config (on a server outside the firewall):

KeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 6

Now the server sends a keepalive every 60 secs, and the client is supposed to respond.

Putty does this but WinSCP does not. After 6 minutes, if I try to do anything, e.g. change directory, I get this error message:

Server sent disconnect message
type 2 (SSH_DISCONNECT_PROTOCOL_ERROR):
"Timeout, your session not responding."

I've looked with SnifferPRO and with Ethereal, and of course it isn't possible to decode SSH, but the following happens every 60 seconds:

The server sends a 122 byte TCP packet from port 22 to the client port. (Keepalive)

Putty responds shortly after with a 90 byte packet (containing 36 bytes of data) and the server responds shortly after that with a 60 byte packet. (Just an ACK?) Putty keeps the connection open indefinitely.

WinSCP, on the other hand, reponds to the servers packet with a 60 byte packet with no data. (Just an ACK?) after 6 minutes, the server sends a packet with the FIN set and then the first time I try to do anything with the GUI, I get the quoted error message above.

For both WinSCP and Putty, I start with a new session enter host and username, and only change the SSH version to "2 only". I also tried the "Use scp2 with scp1 compat." setting and that had the same behavior.

I've also tried with OpenSSH's ssh client and that works fine too. (Haven't traced it though.)

Siffer traces and what the dialog box looks like can be found here for at least a week or two:
<invalid link removed>
(For debugging and tracing, I changed sshd settings to
ClientAliveInterval 10
ClientAliveCountMax 3
)

After that, I tried to change the server settings to
KeepAlive yes
ClientAliveInterval 120
ClientAliveCountMax 3
and check WinSCP's "Sending of null packets to keep session alive" and set "Minutes between keepalives" to 1 (winscp_longerServerTimeout.cap). That worked. Now the session is kept up indefinitely.

Software versions:

Clients:
WinSCP: version: 2.2.0 (Build 122)
Putty: 0.53 (no "b")
OS: Windows XP

Server:
OpenSSH_3.4p1
RedHat 8.0

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
28,287
Location:
Prague, Czechia

Re: Timeout with OpenSSH through firewall - putty ok - with workaround

Thanks for your information. One additional question: Which version of Putty are you using?
_________________
Martin Prikryl

Reply with quote

Guest

Re: Timeout with OpenSSH through firewall - putty ok - with workaround

martin wrote:

Thanks for your information.

Same problem with winSCP 3.1 on Windows 2000 Pro, with ssh server on OpenBSD 3.3. Putty and ssh in cygwin works, though. I'll try the workaround, and hopefully the problem disappears.

Otherwise, WinSCP looks quite nice.

Sigfred

Reply with quote

Guest

Re: Timeout with OpenSSH through firewall - putty ok - with workaround

I have the same problem with WinSCP 3.6.1. Server Keep-alives are on. I can do uploads and downloads as long as no server keep-alive packet arrives. My sshd keep-alive setting is 10 seconds. It's very annoying to reconnect after just 10 seconds.

Can you please solve this problem ? PuTTY (0.54) and PSCP work fine !


Greetz
Thomas (thosi@bluewin.ch)

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
28,287
Location:
Prague, Czechia

Re: Timeout with OpenSSH through firewall - putty ok - with workaround

I have the same problem with WinSCP 3.6.1. Server Keep-alives are on. I can do uploads and downloads as long as no server keep-alive packet arrives. My sshd keep-alive setting is 10 seconds. It's very annoying to reconnect after just 10 seconds.
I'll check it. What is your server?
_________________
Martin Prikryl

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
28,287
Location:
Prague, Czechia

I believe that this was fixed in 3.7.2, wasn't it?
WinSCP now detects dropped connection immediatelly. It also responds to server keepalive requests immediately (keepalive@openssh.com).

Reply with quote

Advertisement

You can post new topics in this forum