On 2006-06-10, john.n.mclaughlin@gmail.com wrote:
> I have a machine in my company's data center I've accessed via SSH for
> a couple years. Yesterday my remote ssh connection stopped working. I
> could connect to the box, enter my username and password and the screen
> would just hang and eventually return a connection terminated
> notification.
>
> We went to the actual box and got console access - no problems with any
> accounts, and tested ssh to localhost - no problems. Reviewing the logs
> we could see our incoming connection requests in the system logs with
> the following error:
>
> sshd [ xxxxx ] FAIL authentication timeout connection xxx.xxx.xxx.xxx (
> or something similar ).
>
> So it looks like the first request is received by the box because the I
> can attempt to log on, but the login credentials are not making their
> way back.
>
> We have stopped and restarted SSH several times, checked the hosts
> allowed files, but we can ssh to localhost and can reach the box with
> the connection attempt.
>
> This is a NATed address only accessible from our network. The external
> addresses for the web server seem to be running fine.

Sounds like this:
http://www.snailbook.com/faq/mtu-mismatch.auto.html

If it's worked for a while and it's stopped working with no changes on the
server then I would bet there's been network changes. Even relatively
subtle changes such as changing the encaps type on a link can trigger
this kind of problem.

Since you seem to have (out of band?) console access, you can confirm
this pretty easily: start a login attempt via ssh, then at the console
run "netstat" and identify the new SSH connection. On most platforms
there is a "SendQ" column, and if the corresponding connection's SendQ
is non-zero and keeps growing then the above is almost certainly your
problem. (You can do the same check on the client side, too.)

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

john.n.mclaughlin@gmail.com schrieb:
> I have a machine in my company's data center I've accessed via SSH for
> a couple years. Yesterday my remote ssh connection stopped working. I
> could connect to the box, enter my username and password and the screen
> would just hang and eventually return a connection terminated
> notification.
>
> We went to the actual box and got console access - no problems with any
> accounts, and tested ssh to localhost - no problems. Reviewing the logs
> we could see our incoming connection requests in the system logs with
> the following error:
>
> sshd [ xxxxx ] FAIL authentication timeout connection xxx.xxx.xxx.xxx (
> or something similar ).
>
> So it looks like the first request is received by the box because the I
> can attempt to log on, but the login credentials are not making their
> way back.
>
> We have stopped and restarted SSH several times, checked the hosts
> allowed files, but we can ssh to localhost and can reach the box with
> the connection attempt.
>
> This is a NATed address only accessible from our network. The external
> addresses for the web server seem to be running fine.
>
> Any ideas? The timeout makes me think it could be a firewall issue, but
> I am far from an expert.
>
> thanks - John
>

I have seen similar problems with routing problems with serveral
networks (packets going back on other route), ssh seems to have problems
with split routes. In your case I suppose a default route to the
external net an you want to come in to a internal interface.

john.n.mclaughlin@gmail.com wrote:
> I have a machine in my company's data center I've accessed via SSH for
> a couple years. Yesterday my remote ssh connection stopped working. I
> could connect to the box, enter my username and password and the screen
> would just hang and eventually return a connection terminated
> notification.

Check with your network administrator. Ask if any firewall rules have
changed.

On 2006-06-12, Wolfgang wrote:
> I have seen similar problems with routing problems with serveral
> networks (packets going back on other route), ssh seems to have problems
> with split routes.

Actually, SSH-the-protocol has no particular problems with asymmetric
routes (which seems to be what you're describing), but it is particularly
intolerant of broken networks.

The key exchange at the beginning of the protocol tends to generate
packets big enough to reach MTU/MSS sizes in both directions, so if you
have packet fragmentation on the path it will expose any latent problems
with firewalls or NAT devices have with fragmented packets.

The MAC (message authentication code) ensures that any changes to the
payload of the packets during transit are detected (whether they happen
on the wire, in router buffers or NIC drivers).

Other protocols may not reach these limits (eg telnet tends to be little
packets in on or both directions) and may not detect changes to the
payloads in transit.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Knowledge is Power.

to find out more :

http://ekosway.notlong.com
http://kosway.notlong.com


Become Independent Business Owner under : http://kosway.notlong.com
And You can also Shopping here (Shopper ID) : http://kosway.notlong.com


Dear Friends,
You may be thinking and saying to yourself "This is another one of those
junk
mails and scans flooding the internet to prey on unsuspecting people."
Maybe
you are correct and maybe you should delete this message instead of reading
further.

However, this message that I bring may be different.It may be true
e-business or e-commerce, governments all over the world are striving to be
players in it. Perhaps you are going to miss out on this great opportunity
to succeed and to become rich.

What I have to share with you is nothing new,but it is new in another
way.Let me explain. Everyone has heard about Cosway.If you haven't please
look it up in the Kuala Lumpur Stock Exchange where it is listed.It is
owned
by The Berjaya Group.It has been in existence in Malaysia for 20 years.It
is
a Discount Club with branches in Indonesia, Brazil, The Philipines, Brunei,
Mexico and Thailand etc.It is now going global through e-commerce in
partnership with Softbank Corp of Japan and Mol.com to set up the the
Company known as eCosway.com.


You can be resting, playing, sleeping or praying as your eCosway
business gallops along 24 hours a day and 365 days a year throughout the
world. Imagine this ! This is e-commerce at its best.

If you're already having fun, making money and making your dreams come true.
How long will it last? Is there any chance that your income stream will dry
up tomorrow?
If so, it might be worth taking a closer look at a supplemental income
stream. Sure,
it will take a little bit of your time, but isn't it worth it if you can
ensure that
your lifestyle continues the way it is, or gets even better? eCosway can be
a great
back-up system and it can be done in so many ways--surely there is at least
one
that suits your current situation.



OPPORTUNITY KNOCKS ON EVERY MAN'S DOOR, BUT ONCE.
IS IT KNOCKING ON YOUR DOOR NOW? WILL YOU OPEN YOUR DOOR?
THE DECISION IS YOURS.