dslreports logo

A: I've been able to verify that the BEFSR41 will tear down idle connections after 7200 seconds (2 hours). This is a fairly common practice with various brands of "personal" router/firewalls. The reason is that the router's NAT (Network Address Translation) logic must maintain a table to keep track of each outgoing connection, and it doesn't want this table to grow too large, so it will "reap" connections that have been idle for too long as a sort of
"housekeeping" measure.

Regardless of how justified this is, it can be quite annoying if, for example, you use ssh to stay logged in to your work, or are running a background job, etc. The bad news is that there is no way to change the timeout value or turn it off using the setup screens.

The good news is that there are several different ways to defeat NAT timeouts. The first is to exploit "TCP KeepAlive". All operating systems that have TCP/IP networking have the ability to send special packets at a certain interval to check if a connection is still alive. The idea is that the computer will tear down the connection if the computer on the other end does not respond.

This can be a bit confusing because the KeepAlive function is not really designed to "keep alive" an idle connection (it would be more accurate to call it "DetectDead"). However, the KeepAlive function still works quite nicely to prevent NAT timeouts because, as a side effect, the KeepAlive packets will look like activity if they are sent frequently enough.

The method for changing the KeepAlive interval varies from one operating system to another. Under Windows it's not easy to change, since you can't just go into Network settings under Control Panel and set it. If you really want this you must dig around inside the registry. Microsoft has a tech note about this (Knowledge Base Article 314053). This URL should work:

»support.microsoft.com/su ··· 0/53.asp

Under Linux it's much easier. The TCP KeepAlive value is stored in the "proc" filesystem (actually a virtual filesystem maintained by the kernel) under this path:

/proc/sys/net/ipv4/tcp_keepalive_time

The default just happens to be 7200 seconds (same as the BEFSR41 timeout). To defeat NAT it must be something smaller than that, like 1800. Setting it to a really small value like 60 is frowned upon as a bad network administration practice, especially if you are running a server.

So to change it all you need to do is this:

echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time

You have to put this in a startup file like "rc.local" to make it permanent.

The second method is dependent upon what client you are using for your SSH or telnet connections. Since you really shouldn't be using telnet on the insecure Internet these days, let's just focus on SSH. The SSH protocol allows for "NO-OP" packets to be sent across the connection to prevent idle timeouts. However, the various SSH clients differ in terms of how well they support this.

Under Windows both PuTTY and SecureCRT have NO-OP support built in. Under Unix/Linux it is necessary to patch the OpenSSH client to get NO-OP support. The patch can be found at this URL (which also has more information about SSH clients and heartbeat/anti-idle support):

»www.sc.isc.tohoku.ac.jp/ ··· dog.html



Expand got feedback?

by Smith_RS See Profile edited by Johkal See Profile
last modified: 2015-03-29 09:13:04