[ale] SSH Cisco Networking Issue

David Tomaschik david at tuxteam.com
Thu Sep 16 18:17:21 EDT 2010


On 09/16/2010 03:05 PM, Omar Chanouha wrote:
> Hello All,
>
>     Sorry for the long email, but I am having an issue with the IT guy
> at my office, and this problem is out of my league. I set up a
> LAMP/SSH server to host the intranet where I work. I am back at Tech
> now, and need a way to connect to the server (Miami) to make changes.
> I told the IT guy to open a port for me in the firewall so I can get
> to the SSH server. Easy enough right?
>
> So, I can log into the server *.126, and I can send and recieve data
> from it, HOWEVER if I try to receive large (> a paragraph) worth of
> data the client hangs. The firewall still registers a connection, and
> the client will just hang forever(ctrl-c does nothing, I have to close
> the terminal). I would imagine this means it is waiting for data that
> is not going to get there, and is also not receiving a disconnect
> message.
>
> Example:
>
> o at remote:~$cat smallfile
> Hello World!
> o at remote:~$cat bigfile[no response]
>
> the same would apply to listing(ls) a small directory vs a large one.
> Or even TAB completing a long list vs a short one.
>
> At address *.126 there are multiple machines, so when I connect to
> *.126 I get port forwarded to another machine via NAT. Just as a test,
> we made the relationship 1-1 at address *.124 (another ip we own) and
> we made the firewall rule completely open at this address. The server
> then worked. The IT guy then decided to make the rule more strict by
> only allowing connection on port 22, and we went back to the previous
> result. He then put in the Cisco SSH rule (rather than just opening
> port 22) and it worked again.
>
> However, *.124 is not available for full time use, so we went back to
> *.126 and applied the SSH rule, but got the same result as before.
> Here is the weird part, when we port forward *.126 to one of the SSH
> servers on one of the Cisco routers (rather than my machine) SSH works
> fine. The IT guy thinks that the issue is coming from the NAT b/c we
> are using the same firewall rule that worked w/ 1-1.
>
> Question, what could be causing the Ubuntu SSH server to hang ONLY
> when larger amounts of data are being sent, but not affect the Cisco
> SSH servers?
>
> Thanks,
>
> -O
>   

What exactly do you mean by the "Cisco SSH rule" versus "opening port
22"?  Assuming it's not doing any sort of MITM work (which would be bad)
and is just passing packets, I'd start by looking at your MTU.  Most SSH
packets are much smaller than your MTU, but a large amount of data could
well exceed this.  If the firewall is dropping fragments, you would get
a behavior similar to what you've described.

Also, try using wireshark to see what's going on in the connection, or
have your IT guy do it from his end (he could do it via a mirror port on
a switch, for example).

-- 
David Tomaschik, RHCE
Ubuntu Community Member
Moderator, LinuxQuestions.org
GPG: 0x6D428695



More information about the Ale mailing list