SRX Tips: Default application timeouts

It can be annoying if you are new to SRX and your SSH connection towards the firewall keeps timing out. You can of course activate keep alive on your SSH client or play with the default ssh timeout on SRX itself. First let’s see how we can check the current timeout.

root@J200> start shell user root          
root@J200% vty fwdd


BSD platform (VMWare virtual processor, 428MB memory, 8192KB flash)

FLOWD_VSRX(srx220 vty)# show usp app-def tcp 
tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=1800    <---Current is 1800
tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
tcp port=25, appl_name=junos-smtp, service type=7, alg id=0, timeout=1800

Current SSH timeout is 1800 seconds. Let's make it 7200 seconds.

[edit]
root@J200# set applications application junos-ssh inactivity-timeout 7200 

[edit]
root@J200# commit and-quit 
commit complete
Exiting configuration mode

root@J200> start shell user root 
root@J200% vty fwdd
FLOWD_VSRX(srx220 vty)# show usp app-def tcp 
tcp port=0, appl_name=junos-tcp-any, service type=0, alg id=0, timeout=1800
tcp port=21, appl_name=junos-ftp, service type=1, alg id=1, timeout=1800
tcp port=22, appl_name=junos-ssh, service type=22, alg id=0, timeout=7200   <---New timeout is 7200 seconds.
tcp port=23, appl_name=junos-telnet, service type=10, alg id=0, timeout=1800
tcp port=25, appl_name=junos-smtp, service type=7, alg id=0, timeout=1800

We have increased the SSH timeout on the firewall. You must logout and login to see the changes though. Let's check it!

root@J200> show security flow session destination-port 22    
Session ID: 13029, Policy name: self-traffic-policy/1, Timeout: 7200, Valid    <--- Timeout increased
  In: 192.168.4.100/54385 --> 192.168.4.3/22;tcp, If: ge-0/0/1.4, Pkts: 128, Bytes: 10873
  Out: 192.168.4.3/22 --> 192.168.4.100/54385;tcp, If: .local..0, Pkts: 357, Bytes: 52141

Yes, timeout has increased to the new value we set.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “SRX Tips: Default application timeouts”

  1. This doesn’t work on a SRX300 running JUNOS 15.1X49-D70.3
    “error: cannot use reserved identifier: junos-ssh”

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading