I have exactly same setup in two offices. From one office, if I try to do ftp (or ssh) to anywhere in the world, it takes a long time before the login prompt comes (roughly 10-15 seconds minimum). Ftp normally takes far more time though.

However, from another office, I get it almost instantaneously!

I was told by several people that it could be "Reverse DNS Mapping" which is causing this trouble. If that is really the case, then I should get the trouble in both offices since they have exactly same kind of DNS setup (of course, with the difference of their own external/internal IPs).

I also have similar type of "/etc/hosts", "/etc/resolv.conf" and "/etc/nsswitch.conf" files at both ends. I have also checked "/etc/hosts.allow" and "/etc/hosts.deny" files at both ends. They are essentially empty.

The machines where I try this, are the main masquerading machines connected directly to the internet via modem/router and firewall. There is of course, internal network at both offices which is connected via VPN (ipsec).

Could it be the case that some DNS entries at ISP of problematic office is causing some trouble here?

Thanks all for your time..

really sounds like dns. You can change your /etc/ssh/sshd_config to not do reverse dns lookup, that could save you time. Also, most ftp daemons can be changed. Sounds like dns is hosed at one end, or your NAT has no reverse record.


MIKE

Could you please tell what to change in "/etc/ssh/sshd_config"? Also, I am using vsftpd on the problematic office. How do I disable reverse name lookup there?

I think the following entry would do it (in /etc/ssh/sshd_config):

Note that you would need to make this change on the servers you are trying to reach from the affected office, not the servers located at this office.

The problem is that when you contact a host from this office, the host tries to do an inverse lookup on your public IP address. If there is no reply, pretty much everything that uses IP will be delayed. The real solution, therefore, is to contact your ISP and get a reverse DNS entry set up for that address.

If your IP address for your office router is statice you could simply put an entry in the /etc/hosts file of the machines that you are trying to connect to.

I haven't had success with that approach in the past. Will the machine look to /etc/hosts to do an inverse?

/etc/hosts additions have worked for me in the past.

That depends on /etc/nsswitch.conf. Look for:

hosts: files dns

And you should be OK putting the static IP in. But as the other guys pointed out, your best bet is to always disable reverse lookups in your daemons. I know proftpd has such a setting.

[added later:] The tools 'strace' and 'tcpdump' are invaluable in solving this type of problem, but it takes a while to get proficient with them.

The default value for Reverse Lookups is "no", so unless he has specifically
changed his SSH Configuration to do reverse lookups that won't be it.

/Les