For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Akhil_128431's avatar
Akhil_128431
Icon for Nimbostratus rankNimbostratus
Oct 10, 2014

Inactivity-timeout for tmsh connection

I had set the inactivity-timeout as 30 mins on my LTM (set months before). The tmsh list sys sshd inactivity-timeout returns me the following result. 

ssh sshd {
    inactivity-timeout 1800
}

I am expecting that any tmsh session that i establish on to my F5 box will timeout after the idle of 30 mins, but when i executed the w command recently, i see that there are stale connections that are idle for more than the given idle timeout. The output is given below..

[root@dc1autof5ltm01b:Active] config  w
 22:28:09 up 15 days,  6:37, 25 users,  load average: 0.97, 0.76, 0.67
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
testserver pts/0    192.168.31.50    20:11    2:16m  0.32s  0.30s tmsh
testserver pts/1    192.168.61.137   Mon11    4days  0.34s  0.32s tmsh
testserver pts/2    192.168.61.137   20:41    1:46m  0.32s  0.30s tmsh
testserver pts/3    192.168.61.137   Tue06    3days  0.32s  0.30s tmsh
testserver pts/4    192.168.61.137   Tue06    3days  0.33s  0.31s tmsh
testserver pts/5    192.168.61.137   Tue11    3days  0.37s  0.36s tmsh
root     pts/6    192.168.9.69     22:28    0.00s  0.03s  0.00s w
testserver pts/7    192.168.61.137   Tue18    3days  0.28s  0.26s tmsh
testserver pts/8    192.168.61.137   20:44    1:43m  0.31s  0.29s tmsh
testserver pts/9    192.168.61.137   20:46    1:41m  0.31s  0.30s tmsh
testserver pts/10   192.168.61.137   Tue06    3days  0.30s  0.29s tmsh
testserver pts/11   192.168.61.137   Wed09    2days  0.26s  0.24s tmsh
testserver pts/12   192.168.61.137   Wed09    2days  0.29s  0.27s tmsh
testserver pts/13   192.168.61.137   Wed11    2days  0.28s  0.27s tmsh
testserver pts/14   192.168.61.137   Wed12    2days  0.29s  0.28s tmsh
testserver pts/15   192.168.61.137   11:16   11:11m  0.33s  0.31s tmsh
testserver pts/17   192.168.31.77    17:14    5:13m  0.30s  0.28s tmsh
testserver pts/18   192.168.61.137   Wed16    2days  0.34s  0.33s tmsh
testserver pts/24   192.168.61.137   11:46   10:41m  0.26s  0.24s tmsh
testserver pts/26   192.168.61.137   Wed20    2days  0.34s  0.32s tmsh
testserver pts/32   192.168.61.137   Wed20    2days  0.31s  0.29s tmsh
testserver pts/34   192.168.61.137   13:21    9:06m  0.25s  0.23s tmsh
testserver pts/40   192.168.61.137   Wed20    2days  0.31s  0.29s tmsh
testserver pts/41   192.168.61.137   Thu11   35:11m  0.24s  0.22s tmsh
testserver pts/44   192.168.61.137   13:24    9:03m  0.25s  0.25s tmsh

The timeout happens properly in most of the cases-where my unused sessions get closed off properly, but there are a few sessions like these that are stale.

Am i doing or understanding it wrong, or is it that the F5 box is not acting on the inactive sessions?

application delivery
BIG-IP Access Policy Manager (APM)
BIG-IP DNS
LTM
management
security
TMSH

5 Replies

  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2014

    I generally set both the sshd and tmsh cli idle-timeouts:

    (Active)(/Common)(tmos) modify cli global-settings idle-timeout ?
Set the idle timeout value for users in the tmsh command line interface. Time is set in number of minutes or disabled.
  • Naresh_173597's avatar
    Naresh_173597
    Icon for Nimbostratus rankNimbostratus
    Oct 11, 2014

    Shaggy,

     

    Thanks for the reply, but in boxes of tmos version 10.x we don't find idle-timeout util.

     

    Here are some queries.

     

    1)Also is it mandatory to set these options to kick off idle sessions. Ain't those taken care by f5 itself without any manual configuration.

     

    2) If am setting the time-out today will it kill the older sessions as well.

     

    3) Is it advisable to clean the idle sessions with external scripts which looks some thing like this,

     

    netstat -anp | grep | awk '{print $7}' | cut -d \/ -f1 | grep -oE "[[:digit:]]{1,}" | xargs kill

     

    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Oct 13, 2014
      try: tmsh modify sys global-settings console-inactivity-timeout I don't have a v10 to test, but it appears to have worked for someone else in v10
    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Oct 13, 2014
      1) If you want session timeout, you should set these values. As far as I know, F5 doesn't have a default CLI/SSH/TMSH/bigpipe timeout. 2) I'm not sure if it will kill the older sessions as I expect the timeout applies to new sessions only. If they remain after making the change, you can use "ps | grep sshd | grep (user-name)" and "kill (pid)" to clear the old sessions 3) This isn't necessary if the timeouts are set and function as expected 3a) If this is an automated process/device logging into the F5, can it be configured to send the appropriate quit/exit commands to properly terminate the session when completed?
    • theprophet_2612's avatar
      theprophet_2612
      Icon for Nimbostratus rankNimbostratus
      Apr 28, 2016
      Just following guide, it can resolve your problem System > Configuration > SSHD. In the Idle Time Before Automatic Logout, adjust duration time you prefer