Re: FC6 ssh times out to one particular host



On Fri, Mar 16, 2007 at 10:12:15AM +1100, Darren Tucker wrote:
chris@xxxxxxxxxxxxxxxx wrote:
I have just migrated from using a Solaris box as my work system to
having Fedora Core 6 on my desktop PC.

I have a number of ssh 'pinholes' in the company firewall to let
me connect to external systems. These are to four external systems
and from the Solaris system they all work still. From the new FC6
system they all work *except* for the one to my home system. Thus
the basics of ssh security etc. would seem to be OK.
[...]
Can anyone suggest any reason for this problem and how to fix it? I'm
stumped.

You could try turning of TCP window scaling on the client side ("echo 0
/proc/sys/net/ipv4/tcp_window_scaling". If your firewall gets it
wrong then you might see odd errors like this.

After much tearing of hair, thinking, etc. I finally found the problem
which turned out to be nothing to do with ssh at all. The Slackware
host system is behind a Speedtouch router/firewall and the firewall
was rejecting packets sent back from the Slackware host to the FC6
client because of some sort of packet sequence error. The router log
says:-

FIREWALL fast tcp seqnr check (1 of 2): Protocol: TCP Src ip:
192.168.1.1 Src port: 22 Dst ip: 193.128.168.194 Dst port: 51097

I fixed the problem by turning off the firewall TCP checks, i.e.:-

firewall config tcpchecks none

I'd like to find out more, e.g. is it the firewall being paranoid or
is it actually an error in the FC6 TCP code. However I can't really
find out much more about this error at present.

--
Chris Green (chris@xxxxxxxxxxxx)



Relevant Pages