>From Host A, is traffic allowed to your DNS servers in your ACL? If not, the delay might be a reverse DNS lookup timing out.
> -----Original Message----- > From: [email protected] [mailto:cisco-nsp- > [email protected]] On Behalf Of Andy Saykao > Sent: Wednesday, January 06, 2010 7:03 PM > To: [email protected] > Subject: [c-nsp] Strange SSH lag with ACL applied > > Hi All, > > I have what seems like a trivial problem but can't figure out what's > causing it. > > I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x). > Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's > from accessing it. > > What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to > VLAN2, it takes a very long time for the SSH login promtp to appear. If > I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going > on with my ACL??? Why the lag for the SSH prompt to appear? > > interface Vlan2 > ip address 203.12.53.aaa 255.255.255.224 > ip access-group VLAN2-FILTER-OUT out > no ip redirects > no ip mroute-cache > ip ospf priority 15 > load-interval 30 > tag-switching ip > ! > ip access-list extended VLAN1-FILTER-OUT > permit ip host 203.10.110.x host 203.12.53.x > permit ip host 203.10.110.y host 203.12.53.x > permit ip host 203.10.110.z host 203.12.53.x > permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x > permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x > permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x > permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x > deny ip any host 203.12.53.x > permit ip any any > > > Interestingly enough when I "permit ip any" to access Host B as the very > first line in the ACL, the SSH prompt is instantaneous. > > permit ip any host 203.12.53.x log > > I even tried permiting Host A as the very first line in the ACL like so, > but no joy. > > permit ip host 210.15.210.x host 203.12.53.x log > > Any ideas??? > > Thanks. > > Andy > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
