Prevent Constant Timeouts with SSH and SFTP

How to prevent constant connection issues with SSH and SFTP when you are behind a NAT firewall.

3189 views
d

By. Jacob

Edited: 2019-12-15 12:19

Timeouts with SSH and SFTP.

There is quite an annoying problem with both ssh and SFTP (SSH File Transfer Protocol) connections dropping constantly, this is especially annoying when connecting via SFTP in FileZilla, since, typically, network timeouts is extremely long which causes a delay of several seconds before reconnecting.

I do not know if there is a technical reason for timeouts to be so long, now that many of us have very fast and stable internet connections. Probably, there is still some use for long timeouts, such as when on bad WiFi—so I do not recommend lowering it too much.

Apparently the problem with dropped connections happens due to routers and firewalls dropping idle connections. This means that even your home router could be the cause of the problem. This might also help explain why I have not had this problem before, until very recently, where it starting to get really bad. I actually thought it was an issue with FileZilla at some point.

1. In order to fix the problem, I SSH'ed into my server and modified a configuration file, first we have the /etc/ssh/sshd_config file:

ClientAliveInterval 100
ClientAliveCountMax 3

These options will cause the server to "probe" the client every 100th second in order to keep the connection alive. Setting this on the server-side has the advantage that it works for all clients connecting to the server.

2. After changing the configuration file, sshd will need to be re-started:

service sshd restart

Client configuration

1. Alternatively, we could also edit the /etc/ssh/ssh_config file on our local system, adding the following:

ServerAliveInterval 100
ServerAliveCountMax 3

The above will instruct the SSH client to send a type of "keep alive" package after the client has been inactive for 100 seconds. It will try to send a package 3 times before the connection in finally dropped.

We probably need to use both ClientAliveInterval and ServerAliveInterval, but I have not tested this personally. Probably the settings are controlled by the server entirely, so you need to change these settings on the server-side.

Note. The alive messages will be sent through the encrypted channel, so it will not be spoofable.

The sad details

First I suspected this was a configuration problem, but I later learned it can be caused by a NAT firewall dropping idle connections.

It happened mostly when transferring files to the server hosting the Beamtic websites. But, it also happened when SSH'ing into the server. Typically, I would leave the SSH'ed terminal open for a few minutes while attending other matters, only to return later to find a frozen terminal window. I had to literally close the terminal Windows and re-connect in a new terminal. Similarly, FileZilla would constantly struggle with nasty timeout (about 20 seconds), and I would have to close the tab to re-connect.

FileZilla would give me no indication that the connection was lost until I tried navigating, at which point it would lag for 20 seconds before reconnecting (the default timeout).

I also had this issue, once FileZilla tried re-connecting by itself, it would fail, but not so when I manually closed the tab and re-connected. Very strange.

Tell us what you think:

  1. Understanding file permissions in Unix / Linux based systems, and how to make files immutable.
  2. In this article I will explain how to enable a swapfile on small instances, and why it might be useful, even if you do have enough physical memory.
  3. How to determine an optimal value for pm.max_children and related php-fpm settings for your server and web applications.
  4. Tutorial showing how to configure a VirtualBox Guest VM with HOST-only and NAT adapter, while using the WWW folder from the HOST OS.
  5. You may have wondered what the /etc/php/8.0/conf.d/ directory is for in Debian and Ubuntu, and whether it is better to edit the conf.d files than editing php.ini directly; find out in this Tutorial.

More in: Linux servers