Re: [c-nsp] Strange SSH lag with ACL applied

Wed, 06 Jan 2010 19:53:46 -0800

Sounds like your SSH server is trying to reverse resolve your IP (for logging). You can either fix your ACL to allow this DNS traffic, or there is a global config (UseDNS no) you can put in sshd_config. Worth a shot to test at least. 

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."


On Thu, 7 Jan 2010, Andy Saykao wrote:


Hi All,

I have what seems like a trivial problem but can't figure out what's
causing it.

I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
from accessing it.

What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
VLAN2, it takes a very long time for the SSH login promtp to appear. If
I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
on with my ACL??? Why the lag for the SSH prompt to appear?

interface Vlan2
ip address 203.12.53.aaa 255.255.255.224
ip access-group VLAN2-FILTER-OUT out
no ip redirects
no ip mroute-cache
ip ospf priority 15
load-interval 30
tag-switching ip
!
ip access-list extended VLAN1-FILTER-OUT
permit ip host 203.10.110.x host 203.12.53.x
permit ip host 203.10.110.y host 203.12.53.x
permit ip host 203.10.110.z host 203.12.53.x
permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
deny   ip any host 203.12.53.x
permit ip any any


Interestingly enough when I "permit ip any" to access Host B as the very
first line in the ACL, the SSH prompt is instantaneous.

permit ip any host 203.12.53.x log

I even tried permiting Host A as the very first line in the ACL like so,
but no joy.

permit ip host 210.15.210.x host 203.12.53.x log

Any ideas???

Thanks.

Andy
_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to