SSH Errors when connecting to a Juniper Netscreen SSG5-GT

Recently, I started working with Netscreens, which I haven’t done for 10 years or so. Things have changed a bit. As I’m learning ScreenOS, and trying to get around and configure these things, I’m getting really aggravated because while I’m RTFM’ing, the ssh session keeps disconnecting with this error:

buffer_get_ret: trying to get more bytes 4 than in buffer 0
buffer_get_int: buffer error

It only seems to happen after a very short period of inactivity though. Highly reproducible, and seems to happen from all my OSX clients I’ve tried. So, I try from a ubuntu box, and it doesn’t happen, which leads me to evaluate what is different between the two. Both are running the same OpenSSH version, but a different OpenSSL version. Oh, and the Ubuntu config is a stock vanilla config, while the OSX boxes all have a custom ~/.ssh/config that is used to set usernames and a few ssh options to make my life easier.

So, I renamed ~/.ssh/ on a OSX box, and the problem vanishes! This tells me it has to do with my ssh config. After a bit of troubleshooting, I isolated the problem in this portion of my ~/.ssh/config file:

Host *
ServerAliveInterval 30

I use this command to keep from timing out on SSH servers that boot you for inactivity. It works fine for all the servers I’ve used, until now. Apparently when the SSH client detects 30 seconds of inactivity, it sends some sort of stay alive message, which the Netscreen fails to handle and decides to immediately disconnect.

To work around this, set this value to 0 (to disable) on your Netscreen hosts in the ~/.ssh/config file:

Host vpn*
ServerAliveInterval 0

All my Netscreens are in my hostfile and begin with vpn-

You need to put the hostname, IP address with or without the asterisk wildcard for your situation.

Hope you found this helpful. I was unable to find ANYTHING on the net that explains this.

EDIT: Michael Newton has had success in adding the following options as well to the Host entry in the ssh config:

Host ns5gt
TCPKeepAlive no
ServerAliveInterval 0
HostKeyAlgorithms ssh-dss


4 thoughts on “SSH Errors when connecting to a Juniper Netscreen SSG5-GT”

  1. That works for me also, thanks!

    I also have to add “ssh -o ControlMaster=yes” to the beginning of the command or it immediately disconnects. This is on ScreenOS 6.0.0.

  2. Excellent – thanks! Never knew about wildcards in ~/.ssh/config – VERY handy.

    I’ve now got things like:

    Host 10.80.*

    Host *ssg1

  3. Thanks, this got me looking into my own config file where I was able to work out the problem. After setting ServerAliveInterval 0 I could connect, but only for a few seconds; I also needed to set TCPKeepAlive no.

    If you usually authenticate with an RSA key this error can also pop up. For the Netscreen I had to stop it from attempting to use my RSA key.

    This is what my config file looks like now:

    Host *
    Protocol 2,1
    TCPKeepAlive yes
    ServerAliveInterval 120

    Host ns5gt
    TCPKeepAlive no
    ServerAliveInterval 0
    HostKeyAlgorithms ssh-dss

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s