ssh portforwarding hangs

[DeadLoco]

I have forward some ports from/to my Raspberry Pi placed behind the router with NAT and dyn-IP like this:

/usr/bin/ssh -24NTqf \
      -i /home/root/.ssh/rpi.rsa.key \
      -L 25:localhost:25 \
      -R *:8888:localhost:80 \
      -R *:22222:localhost:22 \
      someuser@myhost.tld &

Everything works just fine. For some time. After couple of hours I can't connect to sshd or apache. Command shown above is still present in the ps output on the RPi and sockstat show that sshd on the RPi is listen on the port 25, while sshd on the outer host is listening on the ports 8888 and 22222. Everything look just perfect but no connections can be established.

After hanged ssh process is killed and the new one is launched everything is ok. Until forwarding will hangs again. Any clue, guys?

 

[ASX]

Most likely the connection is dropped at router/firewall, after some time without traffic.

Check ClientAliveCountMax and ClientAliveInterval from sshd_config(5), also check for ServerAliveCountMax and ServerAliveInterval from ssh_config(5) to workaround the problem.

EDIT: please disregards, that would apply to an established but unused connection, not your case, sorry for the noise.

 

[DeadLoco]

But you are absolutely right! I've modified ssh invocation like this:

/usr/bin/ssh -24NTqf \
     -i /home/root/.ssh/rpi.rsa.key \
      -L 25:localhost:25 \
      -R *:8888:localhost:80 \
      -R *:22222:localhost:22 \
      -o ServerAliveInterval=10 \
      someuser@myhost.tld &

and that works like a charm! At least 12 hours of inactivity and services are accessible without any problems!

Thanks a lot!

 

[SirDice]

You probably want to set TCPKeepAlive to keep the connection active so the state doesn't time-out on the firewall. You can set this option in your ~/.ssh/config so every connection automatically uses it.

 

[ASX]

But you are absolutely right!

At some point I confused the context: was thinking at a server listening without active connections, but effectively there is an active connection between the ssh client in background and the sshd server.

And that ultimately means I need to take a break!

 

[DeadLoco]

You probably want to set TCPKeepAlive to keep the connection active so the state doesn't time-out on the firewall. You can set this option in your ~/.ssh/config so every connection automatically uses it.

man page says that TCPKeepAlive is sent directly from client host to the server while ServerAlive is sent via established ssh connection. And when ServerAliveCountMax keepalives are sent without answer, client reset the connection. Look like that behaviour is preferrable.