strange ssh performance issues

John Summerfield debian at herakles.homelinux.org
Sat Oct 13 00:59:45 UTC 2007


Harald Hoyer wrote:
> Kevin Kempter wrote:
>> Hi List;
>>
>> First let me say that (1) I have a fairly unusual (I suspect) ssh 
>> setup, and (2) I hate the virus known as windows
>>
>> Here's the deal;
>>
>> The client I'm working for uses a SonicWall firewall to control access 
>> to the data centers. Unfortunately there are issues with the Linux 
>> openVPN clients (specifically open swan) where it connects but locks 

openvpn != openswan.
openvpn works fine for me, I have it working perfectly. All it needs is 
UDP port 1194 (the standard port) open, and if the other end's not on 
the firewall, then the firewall needs to forward UDP port 1194 to the 
correct host.

I haven't (and probably won't) used SonicWall, all my firewall needs are 
met with shorewall on Linux.


>> all other connections out of the firewall. So, until we figure this 
>> out the solution is to use the windows version of the SonicWall 
>> client.  I've installed vmware and installed a copy of VirusXP (AKA 
>> Windows XP). I installed cygwin and followed the instructions here to 
>> install the ssh server: ( 
>> http://pigtail.net/LRP/printsrv/cygwin-sshd.html ) although I did not 
>> run the mkpasswd and mkgroup commands, they seemed to break the 
>> install of ssh server.
>>
>> Anyway, I also setup an ssh key so I could login to the M of VirusXP 
>> without a password.
>> Next I setup a config file in my Linux $HOME/.ssh dir with many 
>> entries like this (one for each host in the data ceners that I need to 
>> connect to):
>>
>> Host dataCenterHostname
>>         Hostname 10.1.x.x               # data center I.P.
>>         HostKeyAlias 10.1.x.x          # data center I.P.
>>         ProxyCommand /usr/local/bin/netcat-proxy-command 
>> 172.16.128.128 %h
>>
>>
>> The 172.16.128.128 I.P. addr is the I.P. of the VirusXP image within 
>> vmware via nat. (I could not make the ssh connections work via bridged 
>> networking).
>>
>> The /usr/local/bin/netcat-proxy-command script is a netcat (nc) script 
>> and contains this:
>>
>> #!/bin/sh
>> gateway=$1
>> internal=$2
>> ssh $gateway nc -w 1 $internal 22
>>
>> To use this setup I boot up VirusXP, open the SonicWall VPN client and 
>> connect to one or more of the data centers.  Then in Fedora 7 (the 
>> host OS) I open a terminal and run this:
>> ssh dataCenterHostname
>>  
>> so, to my issue. Most of the time this setup works fairly well, in 
>> that it does connect. It usually takes about 30 seconds for me to get 
>> a password prompt for the target data center host. This is acceptable 
>> but I think there's something weird going on that delay's the 
>> connection. I say this because I can open a cygwin windowin VirusXP 
>> and do an ssh <I.P.> and I get a password prompt immediately.

Sounds to me like you're getting three DNS timeouts. Make sure all IP 
addresses resolve at both ends.

>>
>> The main issue is that several times a day the connections start to 
>> take several minutes to return the password prompt. I need to restart 
>> the cygwin service in VirusXP, and sometimes that doesn't help so I 
>> reboot the VM instance of VirusXP. This is quite frustrating, however 
>> I'm a DBA and have limited networking knowledge. Does anyone have any 
>> thoughts?, suggestions?, comments?
>>
>> Thanks in advance..
>>
> 
> You may try:
> 
> Host dataCenterHostname:
>         GSSAPIAuthentication no
> 
> in ~/.ssh/config
> 

These are times I get:
08:56 [summer at numbat ~]$ time ssh school  date
Sat Oct 13 08:56:57 WST 2007

real    0m4.649s
user    0m0.020s
sys     0m0.016s
08:56 [summer at numbat ~]$ time ssh cdm date
Sat Oct 13 08:58:40 WST 2007

real    0m0.568s
user    0m0.020s
sys     0m0.017s
08:56 [summer at numbat ~]$

"School" is in the 'net, one another ADSL user, while "cdm" is just two 
wireless networks away.





-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu

Please do not reply off-list




More information about the users mailing list