Tip: Why is port 8550 being queried when starting an SSH session & what effect does this have on the SSH session?

Document ID : KB000010007
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Port 8550 is used for communication between CA PAM & the Socket Filter Agent (SFA) that may be installed on the target device. When starting the SSH connection CA PAM first queries this port to check for the existence of the SFA on the target device. After clicking the 'SSH' link for a server it may be noted that there is a delay before recieveing the logon prompt or completing a successful login. This delay can be caused by the querying of port 8550. CA PAM sends a query packet to port 8550 and waits for a response. If there is no SFA on the target then the packet will not be picked up and replied to. There are 2 behaviors that may occur when there is no SFA installed, depending on firewall settings: dropping the packet or rejecting the packet.  When the packet is 'DROPPED' CA PAM has no idea whether it ever reached the device and will retry the connection a few times. This is the point where the delay occurs; while CA PAM is waiting for a response it will hold off on starting the SSH session.

If SFA is installed and running on the target device then this delay should not occur (or at least would have less of an effect) since the query packet would be responded to.

Instructions:

To speed up the SSH connection initialization the best solution is to ensure that the 8550 query packet is 'REJECTED' instead of 'DROPPED'. When a packet is 'REJECTED' the sender is actually notified and will not continue to retry the connection. This will speed up the initialization because CA PAM will no longer hold off the SSH session to wait for a response.

In lab testing the initialization time went from ~5 seconds to <1 second.

Note: this should not be done if SFA is being used on the target device.

Additional Information:

This same behavior can be seen with RDP connections. See this document for more specific info: TEC1215493

Note: This tip assumes the use of the default Socket Filter Agent (SFA) port: 8550. If a different port is listed under Policy > Manage Policies > Manage Filters > Socket Filter Config > Agent Port: then you should REJECT that port instead.