Cell C firewall forced teardown of idle SSH sessions

morkhans

A MyBroadband
Super Moderator
Joined
Jun 22, 2007
Messages
10,896
It's been on my nag list for a while now, but now that I'm actively trying to get some work done at a client site over SSH it's time to post this topic.

The problem I am experiencing is that as soon as my SSH session is "idle" for about 2min Cell C's firewall is closing the connection forcibly. This is immensely annoying when you are running something like mysqldump which can easily return nothing to the prompt for 15-20min when dumping a 6GB database. I'm now having to resort to running everything in a screen session, disconnecting from screen running top to generate enough traffic to keep SSH alive and then having to reconnect to screen at intervals to see if my command is done.

Vodacom had the same problem a long while back and it was traced back to how the firewall was managing states.

Anyone else having similar experiences?
 
Last edited:

morkhans

A MyBroadband
Super Moderator
Joined
Jun 22, 2007
Messages
10,896
Why not set keepalives on ?

By virtue of the fact that I am still logged in and have an open session it should be considered alive, but yes that is a good suggested work around. I'll have a dig in my putty settings.
 

jem

Well-Known Member
Joined
Jan 9, 2008
Messages
443
By virtue of the fact that I am still logged in and have an open session it should be considered alive, but yes that is a good suggested work around. I'll have a dig in my putty settings.

or run up a screen session then you can at least resume
 

morkhans

A MyBroadband
Super Moderator
Joined
Jun 22, 2007
Messages
10,896
or run up a screen session then you can at least resume

As mentioned I am using screen, but it's a pain.

I found some details on keepalives for putty. Setting it to 120 seconds seems to do the job. Thanks psc.

In other news: Repair on crashed db table has been running for 117min. Not gonna get much sleep tonight :/
 
Last edited:

IceQB

Expert Member
Joined
Jun 10, 2004
Messages
3,122
Had similar problems and just set the timeout on putty.
But it sometimes just disconnects but much better than before.
Havent used voda but with mtn i never had ssh problems.
 

morkhans

A MyBroadband
Super Moderator
Joined
Jun 22, 2007
Messages
10,896
Had similar problems and just set the timeout on putty.
But it sometimes just disconnects but much better than before.
Havent used voda but with mtn i never had ssh problems.

The keepalive setting is a double edged sword. Putty is pretty good at keeping the connection alive when you are idle and your internet connection drops. So now with the keepalive set if my connection goes down the keepalive can't send its packet so it drops the sessions, where in a normal idle state if the link drops and comes back again it doesn't drop.
 

IceQB

Expert Member
Joined
Jun 10, 2004
Messages
3,122
i know the feeling, just last week i did a mysql backup that lasted 2 or 3 hours.
Changed to mtn to get it done
 

shovenose

Senior Member
Joined
Oct 12, 2011
Messages
535
If you use the HTTPS, HTTP or FTP connection model and your network provider only uses a single official IP address for all its customers you should configure a "keepalive interval" of maybe 3000 milliseconds instead of using the default 20,000 milliseconds. This will ensure your underlying TCP streams will not be re-used for other users after being idle for a few seconds, and if it happens anyway both server and client notice more quickly.

Are you using any protection software that filters web requests? Many anti-virus applications include such a feature. Check your protection software and disable "WebGuard" or whatever it is called.

These apps try to inspect files sent by web servers and delay their delivery to the requesting application until they have been able to read enough bytes.

If the transport connection saturates your Internet connection, data will be queued somewhere in a router or a DSL modem, and in the worst case packets will be dropped and need to be retransmitted.

Test the connection with this
http://www.your-freedom.net/index.php?id=downloads

Its free to use at low speeds of course but will do fine for testing. If you want to test the fast test drives they offer just select that option. You can set the rtt values etc etc. See if that connection breaks. If it does tick the ssl option. If your too lazy to create a nick and password over there just pm me then Ill sent you one to use.

The best is to install openvpn with it and just tick openvpn. Then you dont have to add proxies with any app.
 
Last edited:

Glipsie

Senior Member
Joined
Aug 27, 2003
Messages
588
Yup. Been a problem since launch. Same applies to RDP sessions. PPTP is blocked or just does not work through their firewall.
Cell C is not for business use
 

shovenose

Senior Member
Joined
Oct 12, 2011
Messages
535
what ports were you guys using? The standard ports? Why not do it over HTTPS 443?

otherwise
Timeouts are set in with the idle-timeout option

But if you have a firewall fight back. I mean if i want to cut a connection all I do is send a RST command to both ends. If you have set the time out used a different port and you are sure theyre blocking/holding vpn/ssh connections ransom just set it to stop responding to RST packets. You got a firewall don't you. If your on windows it might be your own firewall. Have your tried disabling IPv6?
 
Last edited:

Glipsie

Senior Member
Joined
Aug 27, 2003
Messages
588
Standard ports. Everything works fine on both MTN and Vodacom, so the simpler solution is just to get all your employees a data bundle from one of them. The unrestricted apn is a step in the right direction but not quite there yet.
 
Top