From owner-freebsd-questions@FreeBSD.ORG Mon Jun 6 14:36:23 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3E1A16A41C for ; Mon, 6 Jun 2005 14:36:23 +0000 (GMT) (envelope-from dwinner-lists@att.net) Received: from mtiwmhc12.worldnet.att.net (mtiwmhc12.worldnet.att.net [204.127.131.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54A3F43D49 for ; Mon, 6 Jun 2005 14:36:23 +0000 (GMT) (envelope-from dwinner-lists@att.net) Received: from [10.10.100.63] (unknown[216.113.237.29]) by worldnet.att.net (mtiwmhc12) with ESMTP id <2005060614374511200b8kcpe>; Mon, 6 Jun 2005 14:37:45 +0000 Message-ID: <42A45F5E.3010703@att.net> Date: Mon, 06 Jun 2005 10:36:14 -0400 From: Duane Winner User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: john@day-light.com References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD - Questions Subject: Re: SSH, SSL and DNS headaches X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2005 14:36:23 -0000 Well, it's a little comforting to know that it's not just me...and yup, that's about when it started for me: around noon (EST) on Friday 5/3. Please post if you come up with anything. I'm also trying to cross-post to bind-users@isc.org Cheers, DW John Brooks wrote: >I am having a similar problem which started on friday at about >noon. This is on four freebsd boxes (4.11) that were updated via >cvsup on May 3 from cvsup10, 11, and 12. These four boxes have >been in use for 18 months without issue. I make connections >to ip addresses and not resolvable names, so dns should not be >the show stopper in my case. I have already encountered two >other people experiencing the same type problem, one of which >had updated using cvsup10 in the same time frame as me. The >second has yet to respond. > >I am heading over to the clients network now to run checksums >on the source code files. (I have other networks that are not >affected). > >-- >John Brooks >john@day-light.com > > > >>-----Original Message----- >>From: owner-freebsd-questions@freebsd.org >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of >>dwinner-lists@att.net >>Sent: Monday, June 06, 2005 8:55 AM >>To: FreeBSD - Questions >>Subject: SSH, SSL and DNS headaches >> >> >>Can anybody provide me with some insight into this before I rip >>all of my hair out: >> >>Starting 3 days ago, suddenly it seemed to take a very, very, >>verly long time for ssh and ssl communications to negotiate >>between nodes on my network. >> >>I have 3 subnets: >> >>a LAN (10.10.0.0/16) >>a DMZ (10.20.0.0/16) >>a secured subnet for databases (10.30.0.0/16) >> >>I have 2 DNS/Bind servers running in the DMZ: 1 for the public >>web servers that get NAT'd, and provide public DNS lookups for >>the outside world. The other DNS server is for internal queries, >>providing the cooresponding private IP addresses to LAN clients >>and servers in the DMZ and secure subnet. Both sDNS servers are >>running FreeBSD (one is 5.2.1, the other is 5.3) >> >>Everything has been working great for months, until, like I said, >>3 days ago. Some SSH negotiations were taking so long that they >>would time out before I would have a chance to enter the password >>for my private key. Apache/SSL communincations are also taking a >>long time. But when I make intial connections over port 80, it is >>very fast. I have also been able to make straight postgresql >>connections from nodes on my LAN to database servers in my secure >>subnet, but if I ssh to and from the same boxes....slow timeouts. >>It seems to be that encrypted traffic is having a problem. >> >>The weird thing is that when I tried on a couple of servers to >>change the DNS server in resolv.conf from the internal (private >>IP address) DNS server to the public server, it seemed to speed >>things up. But I don't understand why....why would it be faster >>if a lookup reply is providing the external PUBLIC ip address >>instead of the internal PRIVATE ip address? And I also don't >>understand why this would have just suddenly started 3 days ago >>after working fine. >> >>All the subnets are seperated by a Cisco PIX 515 firewall, and I >>see no errors on it. I also see no errors on any of my FreeBSD >>boxes in the logs (other than the SSH timeout errors). I've tried >>rebooting the PIX, rebooting my DNS servers, rebooting all the >>equipment on my communication rack (router, firewall, switches, >>etc.). I'm really confused. >> >>One thing that has helped is that on 5.3 boxes, I put "UseDNS no" >>in sshd_config, and that seemed to help the SSH problem (but no >>Apache/SSL). I can't do this on all the boxes, though...some are >>5.2.1, and when I put the same directive in there, I get an >>invalid config message when I try to restart SSH. >> >>Thanks for any help on this. I am going insane. >> >>-DW >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to >>"freebsd-questions-unsubscribe@freebsd.org" >> >> >> > > >