Well, it's a little comforting to know that it's not just me...and yup,
that's about when it started for me: around noon (EST) on Friday 5/3.
Please post if you come up with anything.
I'm also trying to cross-post to [EMAIL PROTECTED]
Cheers,
DW
John Brooks wrote:
I am having a similar problem which started on friday at about
noon. This is on four freebsd boxes (4.11) that were updated via
cvsup on May 3 from cvsup10, 11, and 12. These four boxes have
been in use for 18 months without issue. I make connections
to ip addresses and not resolvable names, so dns should not be
the show stopper in my case. I have already encountered two
other people experiencing the same type problem, one of which
had updated using cvsup10 in the same time frame as me. The
second has yet to respond.
I am heading over to the clients network now to run checksums
on the source code files. (I have other networks that are not
affected).
--
John Brooks
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 06, 2005 8:55 AM
To: FreeBSD - Questions
Subject: SSH, SSL and DNS headaches
Can anybody provide me with some insight into this before I rip
all of my hair out:
Starting 3 days ago, suddenly it seemed to take a very, very,
verly long time for ssh and ssl communications to negotiate
between nodes on my network.
I have 3 subnets:
a LAN (10.10.0.0/16)
a DMZ (10.20.0.0/16)
a secured subnet for databases (10.30.0.0/16)
I have 2 DNS/Bind servers running in the DMZ: 1 for the public
web servers that get NAT'd, and provide public DNS lookups for
the outside world. The other DNS server is for internal queries,
providing the cooresponding private IP addresses to LAN clients
and servers in the DMZ and secure subnet. Both sDNS servers are
running FreeBSD (one is 5.2.1, the other is 5.3)
Everything has been working great for months, until, like I said,
3 days ago. Some SSH negotiations were taking so long that they
would time out before I would have a chance to enter the password
for my private key. Apache/SSL communincations are also taking a
long time. But when I make intial connections over port 80, it is
very fast. I have also been able to make straight postgresql
connections from nodes on my LAN to database servers in my secure
subnet, but if I ssh to and from the same boxesslow timeouts.
It seems to be that encrypted traffic is having a problem.
The weird thing is that when I tried on a couple of servers to
change the DNS server in resolv.conf from the internal (private
IP address) DNS server to the public server, it seemed to speed
things up. But I don't understand whywhy would it be faster
if a lookup reply is providing the external PUBLIC ip address
instead of the internal PRIVATE ip address? And I also don't
understand why this would have just suddenly started 3 days ago
after working fine.
All the subnets are seperated by a Cisco PIX 515 firewall, and I
see no errors on it. I also see no errors on any of my FreeBSD
boxes in the logs (other than the SSH timeout errors). I've tried
rebooting the PIX, rebooting my DNS servers, rebooting all the
equipment on my communication rack (router, firewall, switches,
etc.). I'm really confused.
One thing that has helped is that on 5.3 boxes, I put UseDNS no
in sshd_config, and that seemed to help the SSH problem (but no
Apache/SSL). I can't do this on all the boxes, though...some are
5.2.1, and when I put the same directive in there, I get an
invalid config message when I try to restart SSH.
Thanks for any help on this. I am going insane.
-DW
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
