Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

SSH Connection randomly drops (Palo Alto FW in between)

An SSH connection to a particular server drops randomly (usually 20-60 seconds after login). Between the client and the server is a Palo Alto firewall with SSH decryption disabled.

What I tried so far

  • regenerated ssh keys on the server
  • added to server config: ClientAliveInterval 30 ClientAliveCountMax 5
  • added ServerAliveInterval=10 to ssh command
  • added ServerKeepAlive=true to ssh command
  • tried various ssh clients

Nothing worked so far. Notice the debug3: send packet: type 80 and debug3: send packet: type 1 messages just at the moment before/ after the connection is dropped. The firewall logs the SSH session and the termination reason is "tcp-rst-from-client".

I did a packet capture from within the firewall. Palo Alto allows to capture four different flows:

  • drop —When packet processing encounters an error and the packet is dropped.
  • firewall —When the packet has a session match or a first packet with a session is successfully created.
  • receive —When the packet is received on the dataplane processor.
  • transmit —When the packet is transmitted on the dataplane processor (from here)

It seems like the client sends a TCP RST message to the server. I am not an expert on analyzing such traces and hence would appreciate any support from you experts. I would like to append the capture to this thread, however it seems like my karma is pretty bad ;)

Thanks in advance.