NPA and SSH/SCP Error

  • 10 August 2023
  • 3 replies

Userlevel 2
Badge +5

I have a private app configured to allow port 22 and users are able to use SSH and SCP successfully. Users are observing an intermittent issue when trying to SSH/SCP into the app and getting this error:

kex_exchange_identification: Connection closed by remote host Connection closed by port 22


This error prevents user from starting a new SSH/SCP session, but all existing SSH/SCP sessions are fine when this error occurs. Usually if user retry's ssh after a while, the error goes away.


Is there any kind of SSH connection limiting in the NS Client or Publisher?

3 replies

Userlevel 6
Badge +16


I don't believe there is any limit within NPA itself to the number of SSH or other connection types.  I'm wondering if the end application itself has a limit on the number of connections from a single host which could cause the behavior you're seeing.   You could validate by taking a packet capture on the Publisher itself.  If the reset is seen there from the remote host then that tells you that it's from the app itself rather than anything in NPA.  One way you could also test or further validate this if you can't get details from the application administrator is to add additional Publishers to the app definition so connections will be load balanced meaning less connections from individual IP addresses. Just ensure that the additional Publishers can resolve the hostname and route/reach the IP address of the app.  


Userlevel 2
Badge +5

HI, we have 8 dedicated SSH Publishers already, so I don't think thats the issue. I am in the process of trying to enable packet capture on one of the them for troubleshooting. Also, I am trying to see if they have a load balancer in front of the apps and get the SSH logs from the app server itself. Thanks.

Userlevel 2
Badge +5

Additionally, this issue occurs due to a large number of SCP sessions being established by individual users and movement of large files up and down. I am researching whether the OSX file descriptor setting is set too low. Not sure what this setting is exactly since there is limited info talking about it.