SDP Client more 30 seconds access timeout

[Joncheski]

Dear,
I want SDP Client to have more than 30 seconds open session. I tried to make a change to SDP Gateway in the file access.conf, but there are no changes. Will you be able to tell me which configurations I need to change and where to increase the time of the client's session.

• This is how i start sdp controller: node ./sdpController.js
  Log message:
  SDP Controller running at port 5000
  Connection from SDP ID 2, connection ID 1
  New credentials successfully created for sdp member 2
  Sending credential_update message to SDP ID 2, attempt: 0
  Received credential update acknowledgement from SDP ID 2, data successfully delivered
  Successfully stored new keys for SDP ID 2 in the database
  Sending access_update message to SDP ID 2
  Received access data acknowledgement from SDP ID 2, data successfully delivered
  Sending service_refresh message to SDP ID 2, attempt: 1
  Received service data acknowledgement from SDP ID 2, data successfully delivered
  Sending access_refresh message to SDP ID 2, attempt: 1
  Received access data acknowledgement from SDP ID 2, data successfully delivered
  Connection from SDP ID 55564, connection ID 2
  New credentials successfully created for sdp member 55564
  Sending credential_update message to SDP ID 55564, attempt: 0
  Received credential update acknowledgement from SDP ID 55564, data successfully delivered
  Successfully stored new keys for SDP ID 55564 in the database
  Sending access_update message to SDP ID 2
  Received access data acknowledgement from SDP ID 2, data successfully delivered
  Connection to SDP ID 55564, connection ID 2 closed.
  Searching connected client list for SDP ID 55564, connection ID 2
  Found and removed SDP ID 55564, connection ID 2 from connection list

• This is how i start sdp gateway: fwknopd -f -i eth0 --syslog-enable
  Log message:
  (sdp_com.c:590) Starting connection attempt 1
  (sdp_com.c:371) Connected with ECDHE-RSA-AES128-GCM-SHA256 encryption
  (sdp_com.c:703) Server certificates:
  (sdp_com.c:705) Subject: /O=#####/CN=#####
  (sdp_com.c:708) Issuer: /O=##### /CN=#####
  (sdp_ctrl_client.c:627) Credentials-good message received
  (sdp_message.c:258) Received credential update message
  (sdp_ctrl_client.c:637) Credential update received
  (sdp_ctrl_client.c:1960) All new credentials stored successfully
  (sdp_message.c:272) Received service or access data message
  (sdp_ctrl_client.c:675) Access data update received
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 2
  Created 1 hash table nodes from 1 json stanzas
  Succeeded in modifying access data.
  (sdp_message.c:272) Received service or access data message
  (sdp_ctrl_client.c:649) Service data refresh received
  Added service entry for Service ID 1
  Added service entry for Service ID 2
  Created 2 service hash table nodes from 2 json stanzas
  Succeeded in retrieving and installing service configuration
  (sdp_message.c:272) Received service or access data message
  (sdp_ctrl_client.c:668) Access data refresh received
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 2
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55556
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55557
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55558
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55559
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55560
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55561
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55562
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55563
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55564
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55565
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55566
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55567
  Created 13 hash table nodes from 13 json stanzas
  Succeeded in retrieving and installing access configuration
  Starting fwknopd
  Successfully started SDP Control Client Thread.
  Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
  Added jump rule from chain: FORWARD to chain: FWKNOP_FORWARD
  Added jump rule from chain: PREROUTING to chain: FWKNOP_PREROUTING
  iptables 'comment' match is available
  Sniffing interface: eth0
  PCAP filter is: 'udp port 62201'
  Starting fwknopd main event loop.
  handle_conntrack_print_issue() null arg passed, doing nothing
  handle_conntrack_print_issue() null arg passed, doing nothing
  (stanza #0) SPA Packet from IP: 192.168.218.2 received with access source match
  Added connmark rule to FWKNOP_INPUT for 192.168.218.2 -> 0.0.0.0/0 port 443, expires at 1532524179
  Added access rule to FWKNOP_INPUT for 192.168.218.2 -> 0.0.0.0/0 port 443, expires at 1532524179
  handle_conntrack_print_issue() null arg passed, doing nothing
  (sdp_message.c:272) Received service or access data message
  (sdp_ctrl_client.c:675) Access data update received
  Warning: REQUIRE_SOURCE_ADDRESS not enabled for access stanza source: 'ANY'
  Added access entry for SDP ID 55564
  Created 1 hash table nodes from 1 json stanzas
  Succeeded in modifying access data.
  handle_conntrack_print_issue() null arg passed, doing nothing

• This is how i start sdp client: fwknop -n web_app -v
  Log Message:

SPA Field Values:
=================
Random Value: 1319806268186699
SDP Client ID: 55564
Username: root
Timestamp: 1532524149
FKO Version: 2.0.2
Message Type: 1 (Service access msg)
Message String: 192.168.218.2,2
Nat Access:
Server Auth:
Client Timeout: 0
Digest Type: 3 (SHA256)
HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
Disable SDP Mode: 0 (SDP Mode Enabled)
Encoded SDP ID: DNkAAA
Encoded Data: 1319806268186699:1532524149:1:MTkyLjE2OC4yMTguMiwy
SPA Data Digest: DVwDkql2vADS7Bm4ve7YoGeEFOvGBBZU12JTUNMkbAA
HMAC: nEe3cdJ/0TCSeEOIeEwROdAMHmaJ/DR6K9/gEKREOKo
Final SPA Data: DNkAAA9KfSeZDAT5EXDbxoUc1OE1pyJIts+qMYdHfr78Ph2J1tJoX5xG1MobUTgF1IVpzhY+kC9AxLPi73dG5NFipV8A0/iJGJ3LATZHmP9kFkuRG43hGDgjLP616WSQPncdNi7vu8z6a8DkCgnEe3cdJ/0TCSeEOIeEwROdAMHmaJ/DR6K9/gEKREOKo

Generating SPA packet:
protocol: udp
source port:
destination port: 62201
IP/host: 192.168.82.156
(sdp_com.c:590) Starting connection attempt 1
(sdp_com.c:371) Connected with ECDHE-RSA-AES128-GCM-SHA256 encryption
(sdp_com.c:703) Server certificates:
(sdp_com.c:705) Subject: /O=####/CN=####
(sdp_com.c:708) Issuer: /O=####/CN=####
(sdp_ctrl_client.c:627) Credentials-good message received
(sdp_message.c:258) Received credential update message
(sdp_ctrl_client.c:637) Credential update received
(sdp_ctrl_client.c:1960) All new credentials stored successfully
(sdp_ctrl_client.c:1562) SDP Control Client Exiting
SDP ctrl client ran successfully
send_spa_packet: bytes sent: 189

Best regards,
Goce Joncheski

[hydrolucid]

Just to make sure I understand your question, are you referring to the firewall timeout that closes a port on the gateway 30 seconds after the client sends a SPA packet?

[hydrolucid]

Assuming you are referring to the gateway/server closing an opened port after 30 seconds, I want to point out a couple items:

1. If the client device connects to a service through that open port, the port can be closed without interrupting the service. This works in cases like ssh connections. It does get a little trickier with HTTP, but see 2.
2. With HTTP, the server is often configured by default not to reuse TCP connections, so each HTTP request from a browser creates a new TCP connection. This means after the firewall port is closed, the next request looks like a totally new TCP connection and is rejected. BUT, you can configure the HTTP server to reuse connections and you also set a timeout. In our testing, we usually set up the HTTP server to timeout after 10 minutes. This means as long as the user on the client performs some sort of HTTP request every 10 minutes, the connection does not time out, and access is maintained long after the firewall port is closed. See here for information on configuring these features on Apache.

Back to your original question. Our version of SDP does not use access.conf by default, because the gateway now gets its access data from the controller instead. Unfortunately, we did not get around to making an equivalent configuration parameter to change the timeout on the controller and pass this parameter to the gateway, so it currently can only use the default timeout coded on the gateway. You can change the default and recompile the gateway code. The line of code to change is here.

[Joncheski]

Exactly, that was my question. After sending a SPA package to SDP Gateway, it has an open access port for only 30 seconds.
And I found it in the code where to change those 30 seconds to be default, but for each change you need to re-deploy the entire Gateway. Is there any other solution than re-deploy, when it can not be taken from a configuration file?
I use proxy as ngnix. But after that 30 seconds there is no data flow and information and all packets and sessions are closed.