Date: Sun, 23 Sep 2001 17:06:02 -0400 From: Bill Moran <wmoran@iowna.com> To: RJ45 <rj45@slacknet.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: STRANGE delay using NAT Message-ID: <3BAE4EBA.D4EBA2E9@iowna.com> References: <Pine.LNX.4.21.0109230942430.2545-100000@slacknet.slacknet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
RJ45 wrote: > when I ssh x.y.z.v it takes around 3 minutes before prompting me for the > password. If I Instead ssh x.y.z.w (the gateway) and then ssh 10.0.0.1 > it takes around 5 seconds. > How come the response time with NAT is soooo damn slow ?? > IS there a way to fix the problem ?? > The problem is only in te first ssh authentication step, when SSH > communication is established the connection looks fast. Usually, this kind of thing indicates a DNS problem. Most secure stuff (like ssh) will do a reverse DNS lookup to verify the IP is not spoofed and put the data in the logs. Three minutes is about the time it takes to time out if nobody is providing reverse lookup information. I don't know the ssh suite of protocols that well, but here's my guess: ssh wants a reverse lookup before you log in (to help prevent spoofing and man-in-the-middle attacks) When you go from a machine to proxy, the reverse lookup for the proxy happens quick, then you ssh from proxy to 10.0.0.1 and the _proxy_ does the reverse lookup and succeeds. However, when you ssh directly through the proxy to 10.0.0.1, your machine is trying to do a reverse lookup for 10.0.0.1 - but that's not a real Internet address, and no DNS servers on the Internet are going to resolve it. So, after waiting 3 minutes, it gives up and lets you connect anyway. This is just a guess. It assumes that the sshd process will be sending the IP addy back as part of the ssh protocol - I don't know if that's the case or not. But the whole 3 minute thing sounds a lot like DNS timeouts. -- "Where's the robot to pat you on the back?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BAE4EBA.D4EBA2E9>