LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-04-2013, 06:05 AM   #1
jayadhanesh
Member
 
Registered: Feb 2009
Location: Bangalore
Posts: 61

Rep: Reputation: 15
ssh times out


Hi,

Iam trying to SSH to a suse system and ssh times out. I did console connect to the
SUSE and ran tcpdump on the interface. I saw the following one packet.
sshd is running.

02:51:24.281271 IP 11.241.110.2.51674 > 11.241.110.15.ssh: S 1455555089:1455555089(0) win 11880 <mss 3960,sackOK,timestamp 23849332 0,nop,wscale 7>
0x0000: 0200 20ee 6e08 feff ffff ffff 0800 4500
0x0010: 003c e2b6 4000 4006 6412 0bf1 6e02 0bf1
0x0020: 6e0f c9da 0016 56c2 0211 0000 0000 a002
0x0030: 2e68 f421 0000 0204 0f78 0402 080a 016b
0x0040: e974 0000 0000 0103 0307

Any idea what may be wromg?

Thanks,
Dhanesh.
 
Old 10-04-2013, 08:12 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
could be a firewall in the way, iptables on the box maybe. Incorrect routing tables, ssh listening on the wrong interface etc... so many things might be relevant here.

Does the syn packet get received on the server? what does netstat -plnt" say about where sshd is listening?
 
Old 10-06-2013, 11:59 PM   #3
jayadhanesh
Member
 
Registered: Feb 2009
Location: Bangalore
Posts: 61

Original Poster
Rep: Reputation: 15
netstat -plnt
tcp 0 0 :::22 :::* LISTEN 6759/sshd
 
Old 10-07-2013, 03:22 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
Does the syn packet get received on the server?

what is the iptables ruleset on both boxes? (iptables -vnL)
 
Old 10-07-2013, 11:20 PM   #5
jayadhanesh
Member
 
Registered: Feb 2009
Location: Bangalore
Posts: 61

Original Poster
Rep: Reputation: 15
On the system from where I try SSH:
System-4:~ # iptables -vnL
Chain INPUT (policy ACCEPT 1043M packets, 3498G bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 176M packets, 21G bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1026M packets, 3444G bytes)
pkts bytes target prot opt in out source destination


On the system to which I have to do SSH:
linux-ejbv:~ # iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
116 12350 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 84 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
529 16928 input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
10482 3282K input_ext all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth10 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth11 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth12 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth13 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth14 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth15 * 0.0.0.0/0 0.0.0.0/0
10482 3282K input_ext all -- eth2 * 0.0.0.0/0 0.0.0.0/0
10482 3282K input_ext all -- eth3 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth4 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth5 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth6 * 0.0.0.0/0 0.0.0.0/0
602 21764 input_ext all -- eth7 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth8 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- eth9 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT 2 packets, 168 bytes)
pkts bytes target prot opt in out source destination
116 12350 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination

Chain input_ext (17 references)
pkts bytes target prot opt in out source destination
29859 9794K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
2633 84256 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
2645 84640 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
17 1020 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
5 340 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
72 4752 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
linux-ejbv:~ #
 
Old 10-08-2013, 12:36 AM   #6
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 664

Rep: Reputation: 81
hmm what about >>>

Code:
cat /proc/sys/net/ipv4/ip_forward

or

less /etc/sysctl.conf | grep "net.ipv4.ip_forward"
if it is set to 0 make it 1 and
Code:
sysctl -p
 
Old 10-08-2013, 02:16 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
ip_forward?? Do you know what ip forwarding is? That's certainly NOT relevant here.

So I seem to ask for 2 things each time and get one of them.... DOES THE SYN REACH THE SERVER?

Either way though, Looking at the rulebase there you've nothing at all to permit ssh access fromt what I can see. adn... eth15?!?!?! wow!

Last edited by acid_kewpie; 10-08-2013 at 02:18 AM.
 
Old 10-08-2013, 02:57 AM   #8
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,266

Rep: Reputation: 201Reputation: 201Reputation: 201
Cool

Quote:

DOES THE SYN REACH THE SERVER?
netstat -anutp | grep SYN_RECV

post back the result
 
Old 10-08-2013, 08:54 AM   #9
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 664

Rep: Reputation: 81
Quote:
Originally Posted by acid_kewpie View Post
ip_forward?? Do you know what ip forwarding is? That's certainly NOT relevant here.

So I seem to ask for 2 things each time and get one of them.... DOES THE SYN REACH THE SERVER?

Either way though, Looking at the rulebase there you've nothing at all to permit ssh access fromt what I can see. adn... eth15?!?!?! wow!
Thats good what you suggested, but still i don't have to consider your question in any way, one should know the most possible causes of a non working setup and i knew'em mostly and if i did'nt i will learn.

NO issue at all but only i can say here is we should always try to figure out the correct cause and if we are not known of something we should first search on it rather to question anyone.

Last edited by SAbhi; 10-08-2013 at 08:56 AM.
 
Old 10-09-2013, 01:42 AM   #10
jayadhanesh
Member
 
Registered: Feb 2009
Location: Bangalore
Posts: 61

Original Poster
Rep: Reputation: 15
The only packet received is already pasted as part of my question.
 
Old 10-09-2013, 02:16 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
Quote:
Originally Posted by jayadhanesh View Post
The only packet received is already pasted as part of my question.
so yet again only answering one of two parts of my reply, you have NO RULE to permit ssh access to the server in your iptables ruleset.
 
Old 10-09-2013, 02:31 AM   #12
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 664

Rep: Reputation: 81
@jayadhanesh what @acid_kewpie is asking is kind of similar but could make things more clear, provide the output of below (same shared by JJCR too above):
Code:
netstat -an | grep -c SYN_RECV
Also i suspect below could have something to do with, why dont you allow ssh connections in your firewall, that too suggested above!!

Code:
Chain reject_func (0 references)
pkts bytes target prot opt in out source destination 
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
 
Old 10-09-2013, 02:50 AM   #13
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 2,090
Blog Entries: 3

Rep: Reputation: 927Reputation: 927Reputation: 927Reputation: 927Reputation: 927Reputation: 927Reputation: 927Reputation: 927
avoiding timeouts

Quote:
Originally Posted by acid_kewpie View Post
so yet again only answering one of two parts of my reply, you have NO RULE to permit ssh access to the server in your iptables ruleset.
Also, it helps with diagnosis if your chain ends with REJECT instead of DROP. Because --policy only allows DROP, you have to add REJECT explicitly to the end of the INPUT and OUTPUT chains. That way, if the filter is the part blocking your access, you will get a response immediately rather than having to spend time waiting for it to time out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
tcpdump over ssh works only some times pingu Linux - Networking 1 01-31-2012 08:19 AM
SSH connection through putty times out after about 15 minutes abefroman Linux - Server 5 07-22-2009 02:10 PM
SSH problem - unable to login at times vikas027 Linux - Newbie 6 02-28-2009 07:14 AM
SSH Access Limiting By IP Address During Certain Times jordo2323 Linux - Security 7 11-20-2008 02:01 PM
ssh on at all times? Trio3b Linux - Networking 3 11-27-2005 10:59 AM


All times are GMT -5. The time now is 03:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration