Bizarre SSH delay to my linux server on my local network

sicklybeans · 06-08-2020, 10:34 AM

Hi all,

I wasn't sure where exactly to post this because it's not super clear what the underlying issue is. Apologies if this is in the wrong place.

I recently purchased an old server box to use as a home server. It's currently connected to my home network over WiFi (temporary). It uses an Intel Xeon 5670 processor and runs Manjaro.

when I ssh into this machine, there is a very long delay between when I type and when it shows up on my screen (~1-2 seconds).

My first suspicion was the delay time caused by the WiFi card. However, when I directly ping my server, the typical delay is ~4ms. Also when I download content to my server from the web, I get speeds on the order of 20MB/s.

I next suspected that the bottleneck might be the encryption cipher underlying the SSH packets. However, when I run gotop over SSH, all 12 CPU cores show between 0% and 1% usage. Furthermore, when I SSH with different encryption ciphers, I see no noticeable improvement.

What's even stranger is that when I host a server off this box using nginx, it serves HTML/JS in <50ms. So it seems to be limited to SSH. This really makes me think that encryption is the bottleneck. But I can't see why that would be the case. The X5670 is certainly an older processor, but not so old that encrypting packets should freeze up the system.

The SSH delay makes doing work on the box basically impossible. Any hints would be greatly appreciated.

sicklybeans · 06-08-2020, 10:45 AM

Update: the server downloaded a 100MB file over HTTPS in 20 seconds. So encryption by itself does not seem to be a bottleneck...

TB0ne · 06-08-2020, 10:55 AM

Chances are very good it's a DNS issue related to a reverse-lookup. Open your /etc/ssh/sshd_config file, and look for the UseDNS directive, and set the value to no. Then either reboot or restart the ssh daemon ("sudo service sshd restart").

sicklybeans · 06-08-2020, 11:01 AM

Ah, forgot to mention that I already tried that as recommended by some other threads

TB0ne · 06-08-2020, 01:15 PM

Quote:

Originally Posted by sicklybeans

Ah, forgot to mention that I already tried that as recommended by some other threads

Ok....so now check/toggle the "UsePam" and "UseLogin" directives. And you're sure you rebooted or restarted the ssh daemon after making the DNS change?

Ser Olmy · 06-08-2020, 02:21 PM

Quote:

Originally Posted by sicklybeans

when I ssh into this machine, there is a very long delay between when I type and when it shows up on my screen (~1-2 seconds).

Am I understanding you correct in that every keystroke in an SSH session takes 1-2 seconds to display onscreen? Or does this happen only during the logon phase?

sicklybeans · 06-08-2020, 02:50 PM

Quote:

Ok....so now check/toggle the "UsePam" and "UseLogin" directives. And you're sure you rebooted or restarted the ssh daemon after making the DNS change?

I tried this as well and it didn't help. I both restarted the sshd service (Manjaro uses systemd) and rebooted and nothing helps

Quote:

Am I understanding you correct in that every keystroke in an SSH session takes 1-2 seconds to display onscreen?

Yes. It's every keystroke

I have done some further testing which has only made me more confused. I tried tested upload/download speeds over HTTPS from my server box to an external server and get like 20Mb/s DL 10Mb/s UL. I tested upload/download speeds over HTTPS on my laptop and get comparable results.

But then when I transfer 100 Mb of random information from my server box to my laptop using `scp` over my local network using the internal IP address, the transfer rate starts at 3Mb/s before stalling down to 100 kb/s. This makes no sense right? I am not sure how to even begin diagnosing such a strange problem

Ser Olmy · 06-08-2020, 03:24 PM

Trying scp was a good call. It should definitely not perform so poorly, but even 100 kb/s is much better than what you're experiencing at the command line, by at least two orders of magnitude.

It sounds to me like you're seeing excessive packet loss and packets are being retransmitted over and over again. It's the kind of thing you'd expect to see:

when a host has been misconfigured with two gateways, or
a host is using the wrong netmask, causing traffic in one direction to be mistakenly sent via a router until an ARP broadcast from the recipient temporarily corrects the path, or
there's a duplicate IP (or even MAC) address somewhere on the local LAN, or
when a defective NIC/cable/switch port is involved, or
if the transmitting host has been mistakenly configured to use jumbo frames, or
when traffic is going across a VLAN trunk, but one NIC is incapable of handling frames between 1515 or 1518 bytes

But none of that seems to apply, and besides it seems SSH is the only service affected.

Just to clarify: The server is on WiFi, and WiFi only? No dual-homing? And it's on the same IP subnet as the host running the SSH client? Are they both getting IP addresses via DHCP?

sicklybeans · 06-08-2020, 03:37 PM

Quote:

Just to clarify: The server is on WiFi, and WiFi only? No dual-homing? And it's on the same IP subnet as the host running the SSH client? Are they both getting IP addresses via DHCP?

It's a standard home WiFi router-modem setup. No dual-homing. All devices on my network use the same subnet and use DHCP.

I downloaded iperf3 onto the server and client. It's showing a throughput of ~20 Mb/s. After 24 Mb were transferred, there were only 30 re-transmitted packets, which seems low to me. Though I'm certainly not an expert.

I'm at a total loss here. I'm thinking about maybe reinstalling to see if that fixes anything.

Ser Olmy · 06-08-2020, 03:54 PM

You could try running tcpdump in a console session on the server while connecting via SSH from the other PC:

Code:

tcpdump -i wlan0 tcp port 22 and host client_ip

That should give you an idea as to what's going on.

scasey · 06-08-2020, 04:05 PM

Try adding -vvv to your ssh login/connection. From man ssh:

Quote:

-v' Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.

TB0ne · 06-08-2020, 04:08 PM

What kind of router?? Is it possible that QOS is enabled and is throttling that port? Quick way to try would be to turn off your web server, and configure SSH to use port 443, and try to connect then, and see if the problem follows.

sicklybeans · 06-08-2020, 04:35 PM

Quote:

tcpdump -i wlan0 tcp port 22 and host client_ip

That was a great suggestion, I haven't used tcpdump in quite a while.

When I typed the single character "h", it triggered the following entries:

Quote:

17:29:47.340257 IP my-laptop.48986 > my-server.ssh: Flags [P.], seq 2880455083:2880455119, ack 3485261289, win 501, options [nop,nop,TS val 1407938559 ecr 348058026], length 36
17:29:47.340282 IP my-server.ssh > my-laptop.48986: Flags [.], ack 36, win 501, options [nop,nop,TS val 348147170 ecr 1407938559], length 0
17:29:47.340765 IP my-server.ssh > my-laptop.48986: Flags [P.], seq 1:37, ack 36, win 501, options [nop,nop,TS val 348147170 ecr 1407938559], length 36
17:29:48.335658 IP my-laptop.48986 > my-server.ssh: Flags [P.], seq 0:36, ack 1, win 501, options [nop,nop,TS val 1407939479 ecr 348058026], length 36
17:29:48.335672 IP my-server.ssh > my-laptop.48986: Flags [.], ack 36, win 501, options [nop,nop,TS val 348148165 ecr 1407939479,nop,nop,sack 1 {0:36}], length 0
17:29:48.516139 IP my-server.ssh > my-laptop.48986: Flags [P.], seq 1:37, ack 36, win 501, options [nop,nop,TS val 348148346 ecr 1407939479], length 36
17:29:49.358429 IP my-laptop.48986 > my-server.ssh: Flags [.], ack 37, win 501, options [nop,nop,TS val 1407940086 ecr 348147170], length 0
17:29:50.352830 IP my-laptop.48986 > my-server.ssh: Flags [.], ack 37, win 501, options [nop,nop,TS val 1407941109 ecr 348148346,nop,nop,sack 1 {1:37}], length 0

Clearly there are ~1 second delays at two steps in the TCP handshake.

Excuse me while I dust off my old networking textbook to decipher exactly what is happening here

sicklybeans · 06-08-2020, 04:51 PM

Quote:

Try adding -vvv to your ssh login/connection. From man ssh:

This gives me the following output (I don't know enough about SSH to see a problem here):

Quote:

OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "my-server" port 22
debug2: ssh_connect_direct
debug1: Connecting to my-server [192.168.1.46] port 22.
debug1: Connection established.
debug1: identity file /home/sicklybeans/.ssh/id_rsa type 0
debug1: identity file /home/sicklybeans/.ssh/id_rsa-cert type -1
debug1: identity file /home/sicklybeans/.ssh/id_dsa type -1
debug1: identity file /home/sicklybeans/.ssh/id_dsa-cert type -1
debug1: identity file /home/sicklybeans/.ssh/id_ecdsa type -1
debug1: identity file /home/sicklybeans/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/sicklybeans/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/sicklybeans/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/sicklybeans/.ssh/id_ed25519 type -1
debug1: identity file /home/sicklybeans/.ssh/id_ed25519-cert type -1
debug1: identity file /home/sicklybeans/.ssh/id_ed25519_sk type -1
debug1: identity file /home/sicklybeans/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/sicklybeans/.ssh/id_xmss type -1
debug1: identity file /home/sicklybeans/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3
debug1: match: OpenSSH_8.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to my-server:22 as 'sicklybeans'
debug3: hostkeys_foreach: reading file "/home/sicklybeans/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/sicklybeans/.ssh/known_hosts:18
debug3: load_hostkeys: loaded 1 keys from my-server
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh...01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh...19@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128...cm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128...cm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128...cm@openssh.com,aes128-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128...cm@openssh.com,aes128-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
debug3: hostkeys_foreach: reading file "/home/sicklybeans/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/sicklybeans/.ssh/known_hosts:18
debug3: load_hostkeys: loaded 1 keys from my-server
debug3: hostkeys_foreach: reading file "/home/sicklybeans/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/sicklybeans/.ssh/known_hosts:16
debug3: load_hostkeys: loaded 1 keys from 192.168.1.46
debug1: Host 'my-server' is known and matches the ECDSA host key.
debug1: Found key in /home/sicklybeans/.ssh/known_hosts:18
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/sicklybeans/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
debug1: Will attempt key: /home/sicklybeans/.ssh/id_dsa
debug1: Will attempt key: /home/sicklybeans/.ssh/id_ecdsa
debug1: Will attempt key: /home/sicklybeans/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/sicklybeans/.ssh/id_ed25519
debug1: Will attempt key: /home/sicklybeans/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/sicklybeans/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/sicklybeans/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/sicklybeans/.ssh/id_rsa RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: sign_and_send_pubkey: RSA SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to my-server ([192.168.1.46]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/sicklybeans/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/sicklybeans/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0

Ser Olmy · 06-08-2020, 05:06 PM

Also, the same packets are being acknowledged multiple times. Something, somewhere is causing packet loss.

(As for the SSH log, it seems perfectly normal. This really seems to be a transport or network issue.)

I'd have tcpdump capture an entire SSH session and save it to a file. Capture files can be opened and viewed in WireShark, which makes it much easier to see the various flags, follow the TCP stream etc.

Try:

Code:

tcpdump -i wlan0 -s 1514 -w capture.pcap tcp port 22 and host client_ip

With tcpdump running, connect via SSH, log in and then just exit. The capture file should be informative.

BTW, when you ran iperf, did you run it in TCP mode? If so, it really seems only SSH is affected by this issue.

There are very few network components or mechanisms that can selectively affect TCP traffic on certain ports only. Off the top of my head, I can think of:

Firewalls
Policy routing

...and, well, that's about it.

You said you tried dowloading a file via HTTPS from an external host to your server, and that worked just fine. Is it possible that the client (host or software) could be causing this issue? Have you tried logging in via SSH from other devices?