Forum Discussion

MR_RJ's avatar
MR_RJ
Icon for Cirrus rankCirrus
Jan 28, 2009

Issue with SSH and RDP connections times out

Hi,

 

 

When we first installed our BIG-IP LTM we had issues that RDP sessions going through the LTM was disconnected, same thing with SSH session to the LTM CLI.

 

To solve this I created a custom L4 profile that set the expire to infinite. ....indeed not a good way to solve this since it's causing problems when a host changes the MAC on the NIC.

 

 

I guess this is a common issue with RDP/SSH to time out. How do I solve this according to best practice?

 

 

F5 Support suggests that I should put the time out to 8h and tweak it until I find a level that suits our environment.

 

 

I dont think this should be a issue at all and shouldnt need any major changes to my config. So how do everyone else solve this?

 

 

Thanks in advance

 

Robert
config
design

3 Replies

Sort By
  • MR_RJ's avatar
    MR_RJ
    Icon for Cirrus rankCirrus
    Jan 28, 2009
    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=285

     

     

    Suggests:

     

    Idle Timeout

     

     

    The explanation of the idle timeout is fairly intuitive. This setting controls the number of seconds the connection remains idle before the LTM closes it. For most applications, the default 300 seconds is more than enough, but for applications with long-lived connections like remote desktop protocol, the user may want to leave the desk and get a cup of coffee without getting dumped but the administrators don't want to enable keepalives. The option can be configured with a numeric setting in seconds, or can be set to indefinite, in which case the abandoned connections will sit idle until a reaper reclaims them or services are restarted. I try to isolate applications onto their own virtual servers so I can maximize the profile settings, but in the case where a wildcard virtual is utilized, the idle timeout can be set in an iRule with the IP::idle_timeout command:

     

     

    when CLIENT_ACCEPTED {

     

    switch [TCP::local_port] {

     

    "22" {

     

    IP::idle_timeout 600

     

    }

     

    "23" {

     

    IP::idle_timeout 600

     

    }

     

    "3389" {

     

    IP::idle_timeout 3600

     

    }

     

    default {

     

    IP::idle_timeout 120

     

    }

     

    }

     

     

    ....Maybe this is _the_ way to go. Dunno if during the 3600 seconds if the RDP keep-alive willl keep this session active so it wont disconnect after 60min. We'll see!

     

     

     

    Any other ideas?

     

    //Robert

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 28, 2009
    Hi Robert,

     

     

    Using an indefinite timeout would open yourself up to potential resource issues (ports and memory). If the VIPs are open to untrusted traffic, I'd definitely not use an indefinite timeout. Even for trusted clients, is it really a requirement to leave an idle connection up for more than eight hours? As Citizen Elah suggests in his article, it's more ideal if you can configure separate VIPs for separate protocols. If you want to keep the number of VIPs down and decide to use a single VIP for multiple protocols, then the iRule he provided does make good sense.

     

     

    Aaron
  • wuench_99164's avatar
    wuench_99164
    Icon for Altocumulus rankAltocumulus
    Mar 15, 2010
    Another option may be to enable RDP Keepalives on your servers. This will keep a constant flow of traffic, so the connections do not timeout. But may not be compatible with older RDP clients.