For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_15973's avatar
Chris_15973
Icon for Nimbostratus rankNimbostratus
Nov 29, 2007

Log SSH session information

Please forgive me for my inexperience.

 

 

My users SSH to LB'd servers and are being dropped before the timeout setting of 7200 seconds. I am troublshooting to find out why.

 

 

I want to create an iRule that logs when a session starts and when it ends, and the details about that session. I can track using the session ID.

 

 

I know the basic setup of the irule could be something as follows:

 

 

When {

 

log

 

}

 

When {

 

log

 

}

 

 

I just need to know the TCL commands for SSH session, and I couldn't find anything in these forums or in google searches for syntax. Any ideas?

 

 

Thank You in advance for any help!
application delivery
dev
devops
iRules

5 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Nov 29, 2007
    is that timeout set on the server or the load balancer? If only on the server, you'll need to set the idle timeout on the tcp profile associated with your virtual to 7200 as well.

     

     

    To track connections in an irule, you could use the CLIENT_ACCEPTED, SERVER_CONNECTED, SERVER_CLOSED, & CLIENT_CLOSED events.

     

     

    isn't the ssh sessionID encrypted?

     

     

  • Chris_15973's avatar
    Chris_15973
    Icon for Nimbostratus rankNimbostratus
    Nov 29, 2007
    I need to clarify this, i actually confused myself!

     

     

    My users ssh over port 22 directly to a server. The default gateway of that server is my F5 bigip LTM, so the server replies to the SSH request throught the bigip. The return path is different for this reason. I have this same setup for other devices without SSH issues, this is the only site I am having a strange timeout of around 6 minutes. All configurations checkout, which is why I am dumbfounded.

     

     

    This will effect the iRule though because the bigip LTM is only catching the SSH session on the return. I'm not even sure it will see it as a session.
  • Chris_15973's avatar
    Chris_15973
    Icon for Nimbostratus rankNimbostratus
    Nov 29, 2007
    I would rather not mess with the default tcp timeout of 300 seconds, since I want a 7200 second timeout and I don;t want all sessions to wait that long (could be too much overhead). I'll find a way to limit this to port 22.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Nov 29, 2007
    You could specify a forwarding virtual for port 22 only, then apply a custom fastl4 profile with the idle timeout set at 7200.
  • Chris_15973's avatar
    Chris_15973
    Icon for Nimbostratus rankNimbostratus
    Nov 29, 2007
    This is turning out to be more of an actual issue with this redundant pair than anything.

     

     

    Here are the facts thus far:

     

     

    Sessions that are made based upon virtual servers are not timing out, they are following their rules.

     

    Traffic, such as general SSH traffic (does not have a VS, just passes through the LTM) is disconnect between 5-6 minutes. At my other sites I have the same exact configuration setup without this issue, users can ssh all day without a problem.

     

    The only difference bwteen this site that has the problem and my other sites is the OS version.

     

     

    If my users set a keepalive someone where less than 5 minutes, they work fine. So the issue seems to be that the session is not recieving a keep-alive at this site, but my other sites do recieve a keepalive. Question is why.

     

     

    Either way, is there an iRule I can use to force a 60 second keep-alive on all SSH session that work across this LTM device?

     

     

    On a side note, I changed the default TCP profile timeout from 300 seconds to 120, no change, still took 5 minutes to timeout on me.