Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- ssh hangs remotely, but not locally.
- Dr. David Kirkby
December 3, 2003, 11:09 am
rate this thread
it OpenSSH_3.6p1. It is behind quite an expensive ADSL modem, which
has a built in firewall, router, is able to network address
The IBM has an IP of 192.168.1.178 with a netmaks of 255.255.255.0 On
the same subnet are two Suns, both running the same version of SSH.
All machines have a a default route to the ADSL modem.
The Suns can ssh to the IBM and the IBM can ssh to the Suns, with no
problems at all. Hence locally things work as expected.
However, if the modem, which does the network address translation, is
set up to send data on port 22 to the IBM RS/6000, the ssh connection
hangs for a remote user. Running telnet from a remote site to my IP
address on port 22, one can see there is indeed an ssh server, but
it's not possible to do anything with it.
In contrast, if the modem is set up to re-direct connections on ports
22 to either of the Suns, the connection works fine. Hence the only
way to connect to the IBM from a remote site seems to be for me to
configure the NAT to send data on port 22 to a Sun, so its's possible
to log into the Sun via ssh. Once that is done, it's possible to ssh
to the IBM.
Any ideas what could be up? I've looked at the hardware firewall's
logs and can see no packets being rejected. There's no firewall
configured on the IBM.
Dr. David Kirkby,
(email address at http://www.medphys.ucl.ac.uk/~davek/myemail.jpg)
Re: ssh hangs remotely, but not locally.
You probably have an MTU mismatch problem. For more details, see:
On AIX, you may also need to disable path MTU discovery if your
router/firewall does not return an ICMP message when fragmentation
is required but the dont-fragment bit is set (see the man page for
"no", from memory it's something like "no -s tcp_pmtu_discovery=0".)
BTW, that version of OpenSSH has a potential security problem, you
should consider upgrading it before exposing it to a public network.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum