Routed SSH Sessions are killed After 15 Minutes Whether Active or Not

netnerd

Hi everyone. I am running 1.2.3-RELEASE on two Dell Poweredge R300s with CARP configured for redundancy. Each node has four interfaces:

em0: 192.168.1.x/24 (LAN1)
em1: 10.0.20.x/22 (LAN2)
bge0: 192.168.4.x/24 (CARP)
bge1:  192.168.8.0/24 (WAN BEHIND ANOTHER ROUTER/FIREWALL)

When connecting via SSH from LAN2 to another FreeBSD server on LAN1 I am disconnected (Broken Pipe: Write Failed) after exactly 15 minutes even if there is activity i.e. top runnning etc. When I connect from LAN1 to the same server I remain connected. The server that I am connecting to is dual-hommed with a seperate interface on LAN2. SSH sessions over LAN2 to the same server stay connected.

This behavior is not seen when I ssh into Pfsense on either LAN1 of LAN2.

I have tried changing the Firewall optimization Settings from 'normal' to 'conservative'. While set at 'normal' SSH sessions were terminated after only a couple of minutes.

Here are the firewall log entries leading up to the session being killed off:

Act Time If Source Dest Proto
BLOCK: Jul 26 15:46:26 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:46:19 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:46:10 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:46:05 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:59 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:55 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:55 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:55 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:54 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:53 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:52 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:52 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:P
BLOCK: Jul 26 15:45:39 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:31 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:30 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:27 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:26 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:25 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:24 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:24 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:23 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:23 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
BLOCK: Jul 26 15:45:22 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:A
PASS Jul 26 15:44:51 LAN2 10.0.21.100:50066 192.168.1.172:22 TCP:S

Your help is greatly appreciated.

cmb

You have asymmetric routing because the host is dual homed, which will cause problems with any stateful firewall. You either need policy routing on the host itself to ensure all traffic leaves the same interface it enters via the appropriate gateway when off-subnet, or only use the interface IP where the default gateway resides when off-subnet, and only the local subnet IP when on subnet.

Please don't post the same thing to both the forum and mailing list unless you don't have a response on one or the other after 24 hours.