HPE Community
Operating System - HP-UX
1822497 Members
2515 Online
109642 Solutions
New Discussion юеВ

Telnet session timeout through a VPN static tunnel.

 
SOLVED
Go to solution
Dee_3
Regular Advisor

тАО10-23-2001 12:50 PM

тАО10-23-2001 12:50 PM

Telnet session timeout through a VPN static tunnel.

I have users that telnet to an L1000 system through a VPN static tunnel. If these sessions are left idle, they timeout in 1 hour. I've checked the tcp keepalive timer and it's set at 2 hours. Where is the 1 hour timeout coming from? I would like to keep these sessions open longer. What else can I do on the unix side? Thanks.
0 Kudos
Reply
11 REPLIES 11
A. Clay Stephenson
Acclaimed Contributor

тАО10-23-2001 01:07 PM

тАО10-23-2001 01:07 PM

Re: Telnet session timeout through a VPN static tunnel.

Hi Terri:

It may be very simple if the TMOUT environment variable is set. Login as one of these users and echo $TMOUT; if it is non-zero that is your puppy. However, I suspect that this is actually a parameter in your router that disconnects after a connection is idle for some period of time. If your network administrator can't help then a possible workaround is to have your server send a single ping to the remote router periodically.

Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
Dee_3
Regular Advisor

тАО10-23-2001 01:21 PM

тАО10-23-2001 01:21 PM

Re: Telnet session timeout through a VPN static tunnel.

Clay-
I checked the echo $TMOUT and it is 0. Can I send a single ping to the remote router from my L1000? Thank you.
0 Kudos
Reply
Dee_3
Regular Advisor

тАО10-23-2001 02:17 PM

тАО10-23-2001 02:17 PM

Re: Telnet session timeout through a VPN static tunnel.

Clay-
Sorry, that was silly. I know that I can ping. But, are you suggesting some type of ping script that I run periodically to test for response from the router (or cron)? Sorry, I am newer to networking. The router side of things is saying that they are not causing the timeouts. So I was asked to look at the HP-UX side to help with this. Thanks.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО10-23-2001 05:20 PM

тАО10-23-2001 05:20 PM

Re: Telnet session timeout through a VPN static tunnel.

Hi Terri:

I assume that none of your local connection kick you off after 2 hours. If that is the case, it has to be an idle timer in thr router(s). At least as a temporary workaround, I suggest you cron a single ping to the remote router every 15 minutes or so.
If it ain't broke, I can fix that.
0 Kudos
Reply
Eugen Cocalea
Respected Contributor

тАО10-24-2001 12:45 AM

тАО10-24-2001 12:45 AM

Re: Telnet session timeout through a VPN static tunnel.

Hi,

I am not sure about this but did you check the PAM limits? Maybe on the server it is set that the users can't idle more than one hour.

Sending a ping from time to time won't help because there are different tcp connections, the telnet and the ping. Correct me if I'm wrong.

E.
To Live Is To Learn
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО10-24-2001 05:02 AM

тАО10-24-2001 05:02 AM

Re: Telnet session timeout through a VPN static tunnel.

Hi Terri:

I was reading something into this that you actually didn't say. I envisioned your network
to be a local office with a VPN to a branch office with routers in between for the VPN. That's the configuration we use for a couple of offices. However, I suspect that what you actually have is individual PC clients connecting through a VPN product (possibly Checkpoint?) installed on your UNIX server.
In that case you can't ping the remote router but you could ping the PC. I would now look for an idle timeout setting in the VPN software. If you tell us a bit more about your VPN setup, I suspect we can get to the bottom of this.

Regards, Clay
If it ain't broke, I can fix that.
0 Kudos
Reply
Dee_3
Regular Advisor

тАО10-24-2001 08:27 AM

тАО10-24-2001 08:27 AM

Re: Telnet session timeout through a VPN static tunnel.

Hi-
Sorry for the delay. I was checking with my network experts. I really appreciate your responses. What we have here is a gateway VPN, where there is a cisco router on each side doing the encrypting. My pc clients and HP system are attached to a hub attached to the ciscos. Yesterday and this morning, the network folks tried doing a ping test, but the connection did still drop. And, I don't have PAM on my system at this time. I'm not familiar with PAM though. Any further ideas would be greatly appreciated. Thanks for the great info so far. Terri.
0 Kudos
Reply
Eugen Cocalea
Respected Contributor

тАО10-25-2001 12:18 AM

тАО10-25-2001 12:18 AM

Re: Telnet session timeout through a VPN static tunnel.

Hi,

As I said, ping was not the solution from the start since, even if it is from somewhere in the middle (between the client and the server), a separate connection won't 'unidle' the first one.

Well, digging deeper into this, I've found some interesting man pages.

For instance, see 'man getty'.

I could find two workarounds for this:

1. matter of facts found by the users of one of my servers from school (damn students! :) ) where I enforced a 30 minutes timeout. They left a process that from time to time 'unidled' the terminal. For instance, you can use a script that launches itself every 30 minutes (using at) that refreshes the idle time of the terminal.

2. Look in your /etc/inittab. There should be certain lines that set the terminal discipline. First, look at the man page of 'getty'. You can define there a timeout which, if reached, will disconnect the terminal.

Well, I am a bit confusing here, but I suppose that if all pseudo-terminals are initialized with

getty -t 7200

(well, put there the other options needed), you will be at least sure that it is not the server side that makes you problems.

Try it and if you will answer in 1h and some minutes, I will know it didn't work :)

E.
To Live Is To Learn
0 Kudos
Reply
Dee_3
Regular Advisor

тАО10-25-2001 12:51 PM

тАО10-25-2001 12:51 PM

Re: Telnet session timeout through a VPN static tunnel.

I am 'on hold' at this time awaiting analysis of a nettl trace file by my network experts. I greatly appreciate the help up to this point. Depending on their determinations, I will look at the options you have offered. Thanks again. Terri.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО10-25-2001 01:10 PM

тАО10-25-2001 01:10 PM

Solution

Re: Telnet session timeout through a VPN static tunnel.

Hi Terri:

It sounds as though you are using a Cisco PIX Firewall for you VPN. There is a parameter that needs to looked at:

TIMEOUT XLATE HH:MM:SS CONN HH:MM:SS
(Timeout for translate and idle connections).

The pings may or may not keep a link up depending on whether pings have been defined as 'interesting' traffic.

If it ain't broke, I can fix that.
Reply
Dee_3
Regular Advisor

тАО10-30-2001 07:52 AM

тАО10-30-2001 07:52 AM

Re: Telnet session timeout through a VPN static tunnel.

Clay-
Thanks so much for the information. The network folks finally found that the timeout was coming from the cisco. They tested telnet to another cisco vs. my HPUX box and it still timed out in the hour. The info you gave was helpful; they were attempting to adapt it for our setup. Thanks again for the help. Terri Christensen.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.