Date: Mon, 06 Jun 2005 10:36:14 -0400 From: Duane Winner <dwinner-lists@att.net> To: john@day-light.com Cc: FreeBSD - Questions <freebsd-questions@freebsd.org> Subject: Re: SSH, SSL and DNS headaches Message-ID: <42A45F5E.3010703@att.net> In-Reply-To: <NHBBKEEMKJDINKDJBJHGOEHAJBAD.john@day-light.com> References: <NHBBKEEMKJDINKDJBJHGOEHAJBAD.john@day-light.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, it's a little comforting to know that it's not just me...and yup, that's about when it started for me: around noon (EST) on Friday 5/3. Please post if you come up with anything. I'm also trying to cross-post to bind-users@isc.org Cheers, DW John Brooks wrote: >I am having a similar problem which started on friday at about >noon. This is on four freebsd boxes (4.11) that were updated via >cvsup on May 3 from cvsup10, 11, and 12. These four boxes have >been in use for 18 months without issue. I make connections >to ip addresses and not resolvable names, so dns should not be >the show stopper in my case. I have already encountered two >other people experiencing the same type problem, one of which >had updated using cvsup10 in the same time frame as me. The >second has yet to respond. > >I am heading over to the clients network now to run checksums >on the source code files. (I have other networks that are not >affected). > >-- >John Brooks >john@day-light.com > > > >>-----Original Message----- >>From: owner-freebsd-questions@freebsd.org >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of >>dwinner-lists@att.net >>Sent: Monday, June 06, 2005 8:55 AM >>To: FreeBSD - Questions >>Subject: SSH, SSL and DNS headaches >> >> >>Can anybody provide me with some insight into this before I rip >>all of my hair out: >> >>Starting 3 days ago, suddenly it seemed to take a very, very, >>verly long time for ssh and ssl communications to negotiate >>between nodes on my network. >> >>I have 3 subnets: >> >>a LAN (10.10.0.0/16) >>a DMZ (10.20.0.0/16) >>a secured subnet for databases (10.30.0.0/16) >> >>I have 2 DNS/Bind servers running in the DMZ: 1 for the public >>web servers that get NAT'd, and provide public DNS lookups for >>the outside world. The other DNS server is for internal queries, >>providing the cooresponding private IP addresses to LAN clients >>and servers in the DMZ and secure subnet. Both sDNS servers are >>running FreeBSD (one is 5.2.1, the other is 5.3) >> >>Everything has been working great for months, until, like I said, >>3 days ago. Some SSH negotiations were taking so long that they >>would time out before I would have a chance to enter the password >>for my private key. Apache/SSL communincations are also taking a >>long time. But when I make intial connections over port 80, it is >>very fast. I have also been able to make straight postgresql >>connections from nodes on my LAN to database servers in my secure >>subnet, but if I ssh to and from the same boxes....slow timeouts. >>It seems to be that encrypted traffic is having a problem. >> >>The weird thing is that when I tried on a couple of servers to >>change the DNS server in resolv.conf from the internal (private >>IP address) DNS server to the public server, it seemed to speed >>things up. But I don't understand why....why would it be faster >>if a lookup reply is providing the external PUBLIC ip address >>instead of the internal PRIVATE ip address? And I also don't >>understand why this would have just suddenly started 3 days ago >>after working fine. >> >>All the subnets are seperated by a Cisco PIX 515 firewall, and I >>see no errors on it. I also see no errors on any of my FreeBSD >>boxes in the logs (other than the SSH timeout errors). I've tried >>rebooting the PIX, rebooting my DNS servers, rebooting all the >>equipment on my communication rack (router, firewall, switches, >>etc.). I'm really confused. >> >>One thing that has helped is that on 5.3 boxes, I put "UseDNS no" >>in sshd_config, and that seemed to help the SSH problem (but no >>Apache/SSL). I can't do this on all the boxes, though...some are >>5.2.1, and when I put the same directive in there, I get an >>invalid config message when I try to restart SSH. >> >>Thanks for any help on this. I am going insane. >> >>-DW >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to >>"freebsd-questions-unsubscribe@freebsd.org" >> >> >> > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42A45F5E.3010703>