I have been having issues with long-running ssh connections dropping. I want to blame our firewall, but I see no evidence of it timing out states (normally I'd see packets associated with a session that timed out being blocked). To help figure this out, I started an session from one host to another after starting a tcpdump trace on both hosts.
Looking at the captures side-by-side in wireshark, I'm a bit perplexed. Can anyone explain further what I'm seeing? Below is the text output of the "flow graph" from both ends. The first output is from the host that initiated the ssh session (sanitized to 10.1.1.1) the second output is from the ssh session's destination host (sanitized to 10.2.2.2). 10.1.1.1 has a firewall between it and the internet (no NAT though), 10.2.2.2 has a host-based firewall, but tcpdump sees the packets before any filtering.
I couldn't get the code formatting here to actually work, so I've put it here instead:
asked 20 Oct '11, 16:31
edited 20 Oct '11, 16:32
Looks like both sides are sending keep-alive packets after 2 hours, but they never reach each other. Most probably because the firewall in between has timed out the session. You can change the keep-alive interval on your ssh session to prevent the session from being dropped. Here is some info from the ssh_config manpage of ssh on my mac: