How to stop idle timeout

User51642 Yong Huang

Putty ssh connection to the Exadata compute node always times out after some time. First I found /etc/profile had TMOUT=14400 so I commented that out. Then I experimented with

ClientAliveInterval 600

ClientAliveCountMax 3

in /etc/ssh/sshd_config with various values or commented both lines out, followed by `systemctl restart sshd'. New sessions still time out. There's nothing relevant in /etc/ssh/ssh_config, nor anything in ~/.ssh. `echo $TMOUT' shows nothing. What could be causing this idle timeout? My Putty windows to other, non-Exadata servers don't time out.

andy.colvin

In that case, there may be a network firewall closing the connection.  If you want to test it and have a utility like screen on the compute node, you could launch a screen, connect to another node in the cluster over SSH, then detach and check it 6-8 hours later to see if it's still open. 

andy.colvin

You can check the SSH server's idle timeout settings by using the host_access_control script in /opt/oracle.cellos.  To see the existing values, run:

/opt/oracle.cellos/host_access_control idle-timeout -s

Here's my Exadata X4-2 running 19.2.10.0.0.200130:

[[email protected] ~]# /opt/oracle.cellos/host_access_control idle-timeout -s

[2020-05-29 11:41:32 -0500] [INFO] [IMG-SEC-0402] Shell timeout is set to TMOUT=14400

[2020-05-29 11:41:32 -0500] [INFO] [IMG-SEC-0403] SSH client idle timeout is set to ClientAliveInterval 600

You can modify the client timeout or the shell idle timeout (value in seconds) with the -c and -l switches, respectively.  For example, to change the client timeout to 86400 (24 hours) and the shell timeout to 28800 (8 hours), you would run the following:

/opt/oracle.cellos/host_access_control idle-timeout -c 86400 -l 28800

The command should print out your new settings and note that the changes only take effect for new connections.  If you still run in to issues, check to see if there's a firewall in place on the network that is closing idle connections.

User51642 Yong Huang

Thanks Andy. Here's what I just did:

[[email protected] ~]# /opt/oracle.cellos/host_access_control idle-timeout -s

[2020-05-29 12:15:05 -0500] [INFO] [IMG-SEC-0401] Idle timeout parameter is not set: Shell idle timeout

[2020-05-29 12:15:05 -0500] [INFO] [IMG-SEC-0403] SSH client idle timeout is set to ClientAliveInterval 60000

[[email protected] ~]# /opt/oracle.cellos/host_access_control idle-timeout -c 86400 -l 28800

[2020-05-29 12:17:32 -0500] [INFO] [IMG-SEC-0403] SSH client idle timeout is set to 86400

[2020-05-29 12:17:32 -0500] [INFO] [IMG-SEC-0A02] SSHD Service restarted. Changes in effect for new connections.

[2020-05-29 12:17:32 -0500] [INFO] [IMG-SEC-0404] Shell timeout set to 28800

[[email protected] ~]# /opt/oracle.cellos/host_access_control idle-timeout -s

[2020-05-29 12:17:48 -0500] [INFO] [IMG-SEC-0402] Shell timeout is set to TMOUT=28800

[2020-05-29 12:17:48 -0500] [INFO] [IMG-SEC-0403] SSH client idle timeout is set to ClientAliveInterval 86400

I logged out and logged back in. It still timed out, after (I'm guessing) about 2 hours of being idle.

andy.colvin

In that case, there may be a network firewall closing the connection.  If you want to test it and have a utility like screen on the compute node, you could launch a screen, connect to another node in the cluster over SSH, then detach and check it 6-8 hours later to see if it's still open. 

SPA09

Hi

you need to do the following on the Server.

# vi /etc/ssh/sshd_config

ClientAliveInterval 86400

systemctl restart sshd.service

After the change restart the ssh daemon

regards

User51642 Yong Huang

Thanks Andy. I think you're right. There must be a network firewall, possibly our VPN. We work from home these days. The firewall disconnects the idle ssh session, but only for these Exadata servers, not any other Oracle server. That's something we'll talk to the network team about.

There's no firewall running on the server itself, checked by commands like

firewall-cmd --state

systemctl status firewalld

iptables -L