# ssh portforwarding hangs



## DeadLoco (Oct 15, 2016)

I have forward some ports from/to my Raspberry Pi placed behind the router with NAT and dyn-IP like this:


```
/usr/bin/ssh -24NTqf \
      -i /home/root/.ssh/rpi.rsa.key \
      -L 25:localhost:25 \
      -R *:8888:localhost:80 \
      -R *:22222:localhost:22 \
      someuser@myhost.tld &
```
Everything works just fine. For some time. After couple of hours I can't connect to `sshd` or `apache`. Command shown above is still present in the `ps` output on the RPi and `sockstat` show that sshd on the RPi is listen on the port 25, while sshd on the outer host is listening on the ports 8888 and 22222. Everything look just perfect but no connections can be established.

After hanged ssh process is killed and the new one is launched everything is ok. Until forwarding will hangs again. Any clue, guys?


----------



## ASX (Oct 16, 2016)

Most likely the connection is dropped at router/firewall, after some time without traffic.

Check ClientAliveCountMax and ClientAliveInterval from sshd_config(5), also check for ServerAliveCountMax and ServerAliveInterval from ssh_config(5) to workaround the problem.

EDIT: please disregards, that would apply to an established but unused connection, not your case, sorry for the noise.


----------



## DeadLoco (Oct 17, 2016)

But you are absolutely right! I've modified ssh invocation like this:

```
/usr/bin/ssh -24NTqf \
     -i /home/root/.ssh/rpi.rsa.key \
      -L 25:localhost:25 \
      -R *:8888:localhost:80 \
      -R *:22222:localhost:22 \
      -o ServerAliveInterval=10 \
      someuser@myhost.tld &
```
and that works like a charm! At least 12 hours of inactivity and services are accessible without any problems!

Thanks a lot!


----------



## SirDice (Oct 17, 2016)

You probably want to set TCPKeepAlive to keep the connection active so the state doesn't time-out on the firewall. You can set this option in your ~/.ssh/config so every connection automatically uses it.


----------



## ASX (Oct 17, 2016)

DeadLoco said:


> But you are absolutely right!


At some point I confused the context: was thinking at a server listening without active connections, but effectively there is an active connection between the ssh client in background and the sshd server. 

And that ultimately means I need to take a break!


----------



## DeadLoco (Oct 17, 2016)

SirDice said:


> You probably want to set TCPKeepAlive to keep the connection active so the state doesn't time-out on the firewall. You can set this option in your ~/.ssh/config so every connection automatically uses it.


man page says that `TCPKeepAlive` is sent directly from client host to the server while `ServerAlive` is sent via established ssh connection. And when `ServerAliveCountMax` keepalives are sent without answer, client reset the connection. Look like that behaviour is preferrable.


----------

