Dropped connection after being idle for some time

[rebru]

I got a problem, im behind the opnsense, having a connection to a SSH Server (routed to sophos UTM because the ssh server is remote behind a tunnel which is actually still on the UTM, because im not able to connect the opnSense with openVPN to the UTM). Connecting to this server is always possible, but after beeing idle for 10-15 minutes, the opnSense denying access to the ssh server and so on, im not able to do anything in the existing connection.

The firewall log shows me "default deny/state violoation rule" so im guessing this is coming from the setting in the paketfilter rule (default LAN -> *) in the advanced mode, where you can define how the state type should be handled. Per default this is on "keep state" but if this is active, the opnSense will deny any connection after being idle for 10-15 minutes.

When i did set this to none - all is working like expected.

So now my question - is this normal? And is it a good idea to set this to none? Any impacts on security?

[Patrick M. Hausen]

1. This is normal. Connections terminate without a proper close all the time and the firewall needs to have some timeout to drop them from its table.
2. You can try setting

Code Select Expand


  ServerAliveInterval 30

in your SSH config.

[rebru]

Thanks a lot, but this is not only for SSH a problem also for my outlook client, which is routed over the UTM too (exchange server is in my datacenter behind the tunnel). Was wondering this morning i didnt receive emails even the PMG said, that he delivered some emails to my exchange.

So the question is still - can i set the state type to none or isnt it good idea?

[Patrick M. Hausen]

Outlook should initiate a connection, poll the server, close the connection ... every couple of minutes. Or reconnect transparently.

You could set the "State timeout" in the "Advanced" section of the rule to 1800 or 3600 seconds.

[rebru]

Thanks again

But then i have to split up the default rules into two rules - one with any and one with tcp only on protocol - because on the default rule with protocol any im not able to set this option (because of the error, tcp only).

I'll test that - thanks for your help.

[rebru]

1. This is normal. Connections terminate without a proper close all the time and the firewall needs to have some timeout to drop them from its table.
2. You can try setting

Code Select Expand


  ServerAliveInterval 30

in your SSH config.

Hmm - even with that setting (/home/user/.ssh/config) (in my case, i was first on 30 then going to 15) my connection is still be blocked again after some idle time.

[Patrick M. Hausen]

This is weird and should not be the case. Here with the interval set to 30 (seconds) an idle SSH session looks like this:

Code Select Expand


$ sudo tcpdump -n -i en12 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en12, link-type EN10MB (Ethernet), capture size 262144 bytes
15:07:45.811029 IP6 2003:a:827:2a00:4939:9c75:99d3:eef2.64078 > 2a00:b580:8000:13:921b:eff:fe63:ef77.22: Flags [P.], seq 113766925:113766977, ack 4169088554, win 2048, options [nop,nop,TS val 1946454705 ecr 3877894085], length 52
15:07:45.830129 IP6 2a00:b580:8000:13:921b:eff:fe63:ef77.22 > 2003:a:827:2a00:4939:9c75:99d3:eef2.64078: Flags [P.], seq 1:29, ack 52, win 1036, options [nop,nop,TS val 3877924106 ecr 1946454705], length 28
15:07:45.830212 IP6 2003:a:827:2a00:4939:9c75:99d3:eef2.64078 > 2a00:b580:8000:13:921b:eff:fe63:ef77.22: Flags [.], ack 29, win 2047, options [nop,nop,TS val 1946454725 ecr 3877924106], length 0
15:08:15.835059 IP6 2003:a:827:2a00:4939:9c75:99d3:eef2.64078 > 2a00:b580:8000:13:921b:eff:fe63:ef77.22: Flags [P.], seq 52:104, ack 29, win 2048, options [nop,nop,TS val 1946484729 ecr 3877924106], length 52
15:08:15.852210 IP6 2a00:b580:8000:13:921b:eff:fe63:ef77.22 > 2003:a:827:2a00:4939:9c75:99d3:eef2.64078: Flags [P.], seq 29:57, ack 104, win 1036, options [nop,nop,TS val 3877954130 ecr 1946484729], length 28
15:08:15.852260 IP6 2003:a:827:2a00:4939:9c75:99d3:eef2.64078 > 2a00:b580:8000:13:921b:eff:fe63:ef77.22: Flags [.], ack 57, win 2047, options [nop,nop,TS val 1946484746 ecr 3877954130], length 0
15:08:45.856870 IP6 2003:a:827:2a00:4939:9c75:99d3:eef2.64078 > 2a00:b580:8000:13:921b:eff:fe63:ef77.22: Flags [P.], seq 104:156, ack 57, win 2048, options [nop,nop,TS val 1946514751 ecr 3877954130], length 52
15:08:45.875281 IP6 2a00:b580:8000:13:921b:eff:fe63:ef77.22 > 2003:a:827:2a00:4939:9c75:99d3:eef2.64078: Flags [P.], seq 57:85, ack 156, win 1036, options [nop,nop,TS val 3877984153 ecr 1946514751], length 28
15:08:45.875349 IP6 2003:a:827:2a00:4939:9c75:99d3:eef2.64078 > 2a00:b580:8000:13:921b:eff:fe63:ef77.22: Flags [.], ack 85, win 2047, options [nop,nop,TS val 1946514769 ecr 3877984153], length 0
^C
9 packets captured
169025 packets received by filter
0 packets dropped by kernel


Note the 30s interval between exchanges. These are the keepalive packets and they should keep any stateful firewall/NAT session open regardless of the firewall product.

Can you check if the keepalives are present in your case?

[rebru]

 :-\

First i didnt saw that keepalive connections, but now i can see it. My bad, forgetting to set a host for that directive

So for ssh, thats the trick - but all other connections are still unusable after idling ... 3CX phone, RDP, Outlook, Citrix, etc.

As soon as i did minimize them to do some other stuff - when reopen the window from the taskbar i have to wait ~15-20 seconds until the connection came back. Thats very annyoing.

I did never have before problems like this under Sophos UTM - so i'm asking myself why.