[ale] SSH Cisco Networking Issue
Omar Chanouha
ofosho at gatech.edu
Thu Sep 16 23:08:49 EDT 2010
I am actually not sure what I mean by "Cisco SSH Rule". I was actually
hoping someone here would know. The IT guy told me that he opened port
22 manually, which did not work. But then, rather than opening a port,
he said he allowed the SSH application. I interpreted that as making
the rule "allow SSH traffic", rather than "allow port 22 traffic". I
honestly have no Cisco/Firewall experience, so I don't know. But, from
the sound of it, this guy doesn't really have too much experience
either. And, they are a MSoft oriented company, so of course the fact
that it isn't working is not his fault, but that of Linux.
I will ask him about the MTU, but if the MTU of the firewall is set
improperly wouldn't that also effect the SSH packets from the Cisco
routers? Or, perhaps that SSH server only sends packets in small
chunks?
Just guessing here, and hoping my boss doesn't get in my face about
running Linux. That, of course, was my choice.
-O
On Thu, Sep 16, 2010 at 6:17 PM, David Tomaschik <david at tuxteam.com> wrote:
> On 09/16/2010 03:05 PM, Omar Chanouha wrote:
>> Hello All,
>>
>> Sorry for the long email, but I am having an issue with the IT guy
>> at my office, and this problem is out of my league. I set up a
>> LAMP/SSH server to host the intranet where I work. I am back at Tech
>> now, and need a way to connect to the server (Miami) to make changes.
>> I told the IT guy to open a port for me in the firewall so I can get
>> to the SSH server. Easy enough right?
>>
>> So, I can log into the server *.126, and I can send and recieve data
>> from it, HOWEVER if I try to receive large (> a paragraph) worth of
>> data the client hangs. The firewall still registers a connection, and
>> the client will just hang forever(ctrl-c does nothing, I have to close
>> the terminal). I would imagine this means it is waiting for data that
>> is not going to get there, and is also not receiving a disconnect
>> message.
>>
>> Example:
>>
>> o at remote:~$cat smallfile
>> Hello World!
>> o at remote:~$cat bigfile[no response]
>>
>> the same would apply to listing(ls) a small directory vs a large one.
>> Or even TAB completing a long list vs a short one.
>>
>> At address *.126 there are multiple machines, so when I connect to
>> *.126 I get port forwarded to another machine via NAT. Just as a test,
>> we made the relationship 1-1 at address *.124 (another ip we own) and
>> we made the firewall rule completely open at this address. The server
>> then worked. The IT guy then decided to make the rule more strict by
>> only allowing connection on port 22, and we went back to the previous
>> result. He then put in the Cisco SSH rule (rather than just opening
>> port 22) and it worked again.
>>
>> However, *.124 is not available for full time use, so we went back to
>> *.126 and applied the SSH rule, but got the same result as before.
>> Here is the weird part, when we port forward *.126 to one of the SSH
>> servers on one of the Cisco routers (rather than my machine) SSH works
>> fine. The IT guy thinks that the issue is coming from the NAT b/c we
>> are using the same firewall rule that worked w/ 1-1.
>>
>> Question, what could be causing the Ubuntu SSH server to hang ONLY
>> when larger amounts of data are being sent, but not affect the Cisco
>> SSH servers?
>>
>> Thanks,
>>
>> -O
>>
>
> What exactly do you mean by the "Cisco SSH rule" versus "opening port
> 22"? Assuming it's not doing any sort of MITM work (which would be bad)
> and is just passing packets, I'd start by looking at your MTU. Most SSH
> packets are much smaller than your MTU, but a large amount of data could
> well exceed this. If the firewall is dropping fragments, you would get
> a behavior similar to what you've described.
>
> Also, try using wireshark to see what's going on in the connection, or
> have your IT guy do it from his end (he could do it via a mirror port on
> a switch, for example).
>
> --
> David Tomaschik, RHCE
> Ubuntu Community Member
> Moderator, LinuxQuestions.org
> GPG: 0x6D428695
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
More information about the Ale
mailing list