Idea Details

Spectrum OneClick SSH Timeout

Last activity 06-13-2019 10:07 AM
Edi_'s profile image
By: Edi_
08-03-2016 09:11 AM

I have noticed that 10.1 version is too aggressive with SSH Timeout, only 60 sec and then the session is lost. We use this feature a lot as a central management, but if you have to do several parallel changes, then the session is lost. Is it possible to increse the timeout of the SSH Client?


Comments

08-04-2016 07:24 AM

"it appears that there is no way to change the default keepalive for SSH"

 

That's for a keepalive, not for a timeout. Keepalive ensures that the session isn't terminated by the SSH server. The fact that CA support refers to a keepalive as a timeout is confusing, unless they mean that every X seconds a timeout is reached which causes a keepalive message to be sent.

 

I performed a wireshark capture in my environment and have confirmed that the 60 seconds is a Keepalive sent from the client to the server. Since this is the case, you should configure the SSH timeout for your SSH servers to be larger than the Spectrum SSH keepalive. For example, if your device is configured to timeout after 120 seconds of idle time (in Cisco IOS this would appear as "ip ssh timeout 120" on the vty), the keepalive configured for the client must be less than 120 seconds to ensure that the device doesn't recognize the session as idle.

 

Sending a keepalive every 60 seconds is only an issue if your policy demands that an idle SSH session must be terminated within a minute.

08-04-2016 05:48 AM

Maybe you should request to have the possibility to specify the timeout value for a session as an attribute for either the NCM family or the device itself? It would be better than having it hardcoded.

08-04-2016 05:35 AM

Hi lilah,

thanks for your notes, but I can assure you that this is not the case since I do not have the problem why SSH directly to the devices from my own client. This is the official statement from CA Support and that is the reason why I raised this idea.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

it appears that there is no way to change the default keepalive for SSH, and it will timeout after 1 min. This has been asked by other customers in the past and as the result of an investigation by our Engineering (swbug020959), it appears that there is no option to change this. If you are interested in adding this feature, I would encourage an Enhacement Request.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

08-04-2016 05:09 AM

Hi Edi,

 

SSH timeouts are dictated by the server (namely your devices, and not the CA assurance server). If your NCM issues are due to SSH timeouts and not DCM timeouts, you should increase the SSH timeout for your managed devices.

 

Since you're using SSH/SCP and not SNMP/TFTP, DCM timeouts shouldn't affect you.

 

It would be surprising if the SSH server had an open session for 60 seconds without any input from your ncmservice. To test if SSH timeout is to blame, try to remove the SSH timeout on a subset of devices and see if that helps. Otherwise, read on.

 

For my 9.4.x installation I had to perform changes to the ncmprops file. This helped me in the past with certain NCM issues, mostly timeout based, but this may be version specific. I'd check with CA support first.

 

Configuring ncmprops:  http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1264928.aspx

 

Even if ncmprops doesn't solve your problems, you can easily rollback by deleting the file and killing ncmservice.