Here's a puzzler

Andrew Kelly akelly at corisweb.org
Thu Oct 26 07:39:03 UTC 2006 

Hi Rick, thanks for answering.

On Wed, 2006-10-25 at 14:21 -0700, Rick Stevens wrote:
> On Wed, 2006-10-25 at 15:18 +0200, Andrew Kelly wrote:
> > I wonder if anybody here has seen enough obscure, esoteric error
> > conditions to be able to debug this oddity on first symptom. Rick maybe?
> > Hope somebody has seen it before.
> > 
> > My desktop is running FC4, iptables set to ACCEPT across the board.
> > I'm in a LAN behind a Windows Proxy (sound of retching).
> > 
> > I have several external servers that I maintain. They're running RH 7.3,
> > RH 9.0, Debian Woody, Debian Sarge, and there's an oddball SuSE box. I
> > connect to them all via ssh and have been doing so without problem for
> > ages. 
> > At the moment I'm configuring 2 newly acquired hosts that have just been
> > handed to me and having a bit of a baffle. They are running the current
> > stable Debian (sarge) and doing everything I'd expect them too, UNLESS I
> > try to reach them from my workstation. From any of my other servers, I
> > get ping responses, can make ssh connections, the whole gamut.
> > >From my workstation, pings return no response. An attempt to start an
> > ssh session dies a timeout death. I get this far:
> > OpenSSH_4.2p1, OpenSSL 0.9.7f 22 Mar 2005
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug1: Connecting to chokma [84.214.xx.xxx] port 22. 
> >  
> > and no farther (the IP is correct, I've just added the x's because of
> > local policy).
> > 
> > I can verify that it is not a proxy problem, because if I boot my
> > workstation into XP (repeat previous sound) I can connect just fine with
> > PuTTY. Also, I can connect perfectly from another linux box within my
> > LAN. 
> > 
> > So, it's only my workstation, only when I'm booted into FC4 and only
> > when I try to contact the 2 newest servers. There are no firewalls in
> > place on either end of the connection.
> > 
> > What is going on?
> 
> Well, this is a Red Hat list, not a Debian list, but here are some
> things to check:

Yes, I'm aware of that. The problem is not with the Debian servers, but
with the FC4 client.
I can connect to the servers from any other machine to which I have
access, AND I can connect to the machines from the workstation in
question when it is booted into XP. But when the workstation is booted
into FC4 it cannot establish a ssh connection to those 2 servers,
although it can connect to any of the other servers, be they FC, SuSE,
Debian, RH or Gentoo.

> 1. Make ABSOLUTELY sure that iptables isn't running on the Debian boxes
> ("# iptables -L -n" and make sure no rules show up).

As I already stated, this is the case, and I can verify again that there
are zero iptable rules in place on either the client or the remote host.

> 2. Check the /etc/hosts.allow and /etc/hosts.deny files and verify that
> they're empty or that they allow your machine in.

Empty and unused at both ends of the connection.

> 3. Check the /etc/ssh/sshd_config file and verify that it allows your
> authentication methods and does not depend on DNS lookups (in case
> your DNS isn't working correctly).

The sshd_config files are identical across 4 machines. Two of them can
be accessed without problem and the other 2 are why I have posted this
query.
As visible in the results of running ssh -v which were included in the
query are are still included above, resolution is not the issue.

ssh -v offers me no useful information.
Strace ssh offers me more info, but none useful. It simply verifies that
the client call eventually dies with a timeout.

The only real difference between machines I can reach and the 2 I can't
is that the reachable machines are a bit older and are running 2.4
kernels whereas the ones being stinkers are running 2.6.

I don't want to point my finger at the servers, though, because they are
behaving perfectly when accessed from any other machine, including my
laptop through a public hotspot connection. It is really ONLY the FC4
client which appears not to be receiving responses. And the part I find
the weirdest is that when the client is booted into XP it reaches the
hosts just fine. 
The client has the same IP regardless of the OS it boots. The LAN proxy
NATs correctly regardless of OS on the client.
If it were an iptables issue on the client, then I don't understand why
it can reach any other host it attempts to contact.

I'm at the end of my kung fu over here.

Andy

More information about the Redhat-install-list mailing list