SDP Client more 30 seconds access timeout

[Joncheski]

Dear, I want SDP Client to have more than 30 seconds open session. I tried to make a change to SDP Gateway in the file access.conf, but there are no changes. Will you be able to tell me which configurations I need to change and where to increase the time of the client's session.

• This is how i start sdp controller: node ./sdpController.js Log message: SDP Controller running at port 5000 Connection from SDP ID 2, connection ID 1 New credentials successfully created for sdp member 2 Sending credential_update message to SDP ID 2, attempt: 0 Received credential update acknowledgement from SDP ID 2, data successfully delivered Successfully stored new keys for SDP ID 2 in the database Sending access_update message to SDP ID 2 Received access data acknowledgement from SDP ID 2, data successfully delivered Sending service_refresh message to SDP ID 2, attempt: 1 Received service data acknowledgement from SDP ID 2, data successfully delivered Sending access_refresh message to SDP ID 2, attempt: 1 Received access data acknowledgement from SDP ID 2, data successfully delivered Connection from SDP ID 55564, connection ID 2 New credentials successfully created for sdp member 55564 Sending credential_update message to SDP ID 55564, attempt: 0 Received credential update acknowledgement from SDP ID 55564, data successfully delivered Successfully stored new keys for SDP ID 55564 in the database Sending access_update message to SDP ID 2 Received access data acknowledgement from SDP ID 2, data successfully delivered Connection to SDP ID 55564, connection ID 2 closed. Searching connected client list for SDP ID 55564, connection ID 2 Found and removed SDP ID 55564, connection ID 2 from connection list

• This is how i start sdp gateway: fwknopd -f -i eth0 --syslog-enable Log message: (sdp_com.c:590) Starting connection attempt 1 (sdp_com.c:371) Connected with ECDHE-RSA-AES128-GCM-SHA256 encryption (sdp_com.c:703) Server certificates: (sdp_com.c:705) Subject: /O=#####/CN=##### (sdp_com.c:708) Issuer: /O=##### /CN=##### (sdp_ctrl_client.c:627) Credentials-good message received (sdp_message.c:258) Received credential update message (sdp_ctrl_client.c:637) Credential update received (sdp_ctrl_client.c:1960) All new credentials stored successfully (sdp_message.c:272) Received service or access data message (sdp_ctrl_client.c:675) Access data update received Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 2 Created 1 hash table nodes from 1 json stanzas Succeeded in modifying access data. (sdp_message.c:272) Received service or access data message (sdp_ctrl_client.c:649) Service data refresh received Added service entry for Service ID 1 Added service entry for Service ID 2 Created 2 service hash table nodes from 2 json stanzas Succeeded in retrieving and installing service configuration (sdp_message.c:272) Received service or access data message (sdp_ctrl_client.c:668) Access data refresh received Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 2 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55556 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55557 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55558 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55559 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55560 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55561 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55562 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55563 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55564 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55565 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55566 Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55567 Created 13 hash table nodes from 13 json stanzas Succeeded in retrieving and installing access configuration Starting fwknopd Successfully started SDP Control Client Thread. Added jump rule from chain: INPUT to chain: FWKNOP_INPUT Added jump rule from chain: FORWARD to chain: FWKNOP_FORWARD Added jump rule from chain: PREROUTING to chain: FWKNOP_PREROUTING iptables 'comment' match is available Sniffing interface: eth0 PCAP filter is: 'udp port 62201' Starting fwknopd main event loop. handle_conntrack_print_issue() null arg passed, doing nothing handle_conntrack_print_issue() null arg passed, doing nothing (stanza #0) SPA Packet from IP: 192.168.218.2 received with access source match Added connmark rule to FWKNOP_INPUT for 192.168.218.2 -> 0.0.0.0/0 port 443, expires at 1532524179 Added access rule to FWKNOP_INPUT for 192.168.218.2 -> 0.0.0.0/0 port 443, expires at 1532524179 handle_conntrack_print_issue() null arg passed, doing nothing (sdp_message.c:272) Received service or access data message (sdp_ctrl_client.c:675) Access data update received Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY' Added access entry for SDP ID 55564 Created 1 hash table nodes from 1 json stanzas Succeeded in modifying access data. handle_conntrack_print_issue() null arg passed, doing nothing

• This is how i start sdp client: fwknop -n web_app -v Log Message:

SPA Field Values: ================= Random Value: 1319806268186699 SDP Client ID: 55564 Username: root Timestamp: 1532524149 FKO Version: 2.0.2 Message Type: 1 (Service access msg) Message String: 192.168.218.2,2 Nat Access: Server Auth: Client Timeout: 0 Digest Type: 3 (SHA256) HMAC Type: 3 (SHA256) Encryption Type: 1 (Rijndael) Encryption Mode: 2 (CBC) Disable SDP Mode: 0 (SDP Mode Enabled) Encoded SDP ID: DNkAAA Encoded Data: 1319806268186699:1532524149:1:MTkyLjE2OC4yMTguMiwy SPA Data Digest: DVwDkql2vADS7Bm4ve7YoGeEFOvGBBZU12JTUNMkbAA HMAC: nEe3cdJ/0TCSeEOIeEwROdAMHmaJ/DR6K9/gEKREOKo Final SPA Data: DNkAAA9KfSeZDAT5EXDbxoUc1OE1pyJIts+qMYdHfr78Ph2J1tJoX5xG1MobUTgF1IVpzhY+kC9AxLPi73dG5NFipV8A0/iJGJ3LATZHmP9kFkuRG43hGDgjLP616WSQPncdNi7vu8z6a8DkCgnEe3cdJ/0TCSeEOIeEwROdAMHmaJ/DR6K9/gEKREOKo

Generating SPA packet: protocol: udp source port: destination port: 62201 IP/host: 192.168.82.156 (sdp_com.c:590) Starting connection attempt 1 (sdp_com.c:371) Connected with ECDHE-RSA-AES128-GCM-SHA256 encryption (sdp_com.c:703) Server certificates: (sdp_com.c:705) Subject: /O=####/CN=#### (sdp_com.c:708) Issuer: /O=####/CN=#### (sdp_ctrl_client.c:627) Credentials-good message received (sdp_message.c:258) Received credential update message (sdp_ctrl_client.c:637) Credential update received (sdp_ctrl_client.c:1960) All new credentials stored successfully (sdp_ctrl_client.c:1562) SDP Control Client Exiting SDP ctrl client ran successfully send_spa_packet: bytes sent: 189

Best regards, Goce Joncheski

[hydrolucid]

Just to make sure I understand your question, are you referring to the firewall timeout that closes a port on the gateway 30 seconds after the client sends a SPA packet?

[hydrolucid]

Assuming you are referring to the gateway/server closing an opened port after 30 seconds, I want to point out a couple items:

1. If the client device connects to a service through that open port, the port can be closed without interrupting the service. This works in cases like ssh connections. It does get a little trickier with HTTP, but see 2.
2. With HTTP, the server is often configured by default not to reuse TCP connections, so each HTTP request from a browser creates a new TCP connection. This means after the firewall port is closed, the next request looks like a totally new TCP connection and is rejected. BUT, you can configure the HTTP server to reuse connections and you also set a timeout. In our testing, we usually set up the HTTP server to timeout after 10 minutes. This means as long as the user on the client performs some sort of HTTP request every 10 minutes, the connection does not time out, and access is maintained long after the firewall port is closed. See here for information on configuring these features on Apache.

Back to your original question. Our version of SDP does not use access.conf by default, because the gateway now gets its access data from the controller instead. Unfortunately, we did not get around to making an equivalent configuration parameter to change the timeout on the controller and pass this parameter to the gateway, so it currently can only use the default timeout coded on the gateway. You can change the default and recompile the gateway code. The line of code to change is here.

[Joncheski]

Exactly, that was my question. After sending a SPA package to SDP Gateway, it has an open access port for only 30 seconds. And I found it in the code where to change those 30 seconds to be default, but for each change you need to re-deploy the entire Gateway. Is there any other solution than re-deploy, when it can not be taken from a configuration file? I use proxy as ngnix. But after that 30 seconds there is no data flow and information and all packets and sessions are closed.