Do I have an ssh problem?

Bill Davidsen davidsen at tmr.com
Thu Sep 20 21:47:12 UTC 2007 

Jonathan Underwood wrote:
> On 11/09/2007, Les <hlhowell at pacbell.net> wrote:
> 
>> I had the same problem on FC6.  I asked lots of questions got lots of
>> advice leading to iptables in the firewall being part of the problem.
>> Finally I turned off the firewall, and things worked ok.  I am now
>> slowly going through the iptables and playing with combinations, to see
>> what in there is mucking up the transfers.  But it seems related to
>> several things affecting different bits of the process.
>> I can't isolate it well yet.
>>
>> If you have a separate firewall isolating you from the net threats as I
>> do, then you can pretty safely turn off the machines firewall and see if
>> it helps.
>>
> 
> I have had probelms with scp of large files between two boxes  each
> behind a firewall - the scp would stalll after a few kb (the machine
> wouldn't crash though). Turns out that one of the firewalls was
> somehow causing many packets to be out of the TCP window.
> 
> doing an
> 
> echo 1 > /proc/sys/netfilter/nf_conntrack_tcp_be_liberal
> 
> fixed that for me. To make it persistent accross rebotts you need to
> add this line to /etc/sysctl.conf
> 
> net.netfilter.nf_conntrack_tcp_be_liberal = 1

Now I have to go read exactly what that is supposed to do.
> 
> Another thing you might want to turn off is tcp window scaling - read
> about that here:
> 
> http://lwn.net/Articles/92727/
> 
> However, I would not have expected any of these things to cause a box to hang.
> 
Now there I have never seen a problem, and I have boxen from RH8, RH9, 
FC1, FC[4567] running, all with advanced window scaling set to 5 (and 
on, obviously). In particular, my FC4 laptop may run wireless or plugged 
in, so speeds are quite different. I did transfer some DVD images FC7 to 
FC4 with no issue. What does it say that I find a 4GB xfer easier than 
walking up three flights of stairs and back?

I have transferred cpio data of ~1GB,
   find images -type f -mnewer lastsync | cpio -o -Hcrc |
   ssh foo "cd images && cpio -idm"
and that worked, all using large windows.

FWIW I also do NFS using 9k jumbo packets and GigE between FC1 and FC6, 
and I moved ~700GB doing that. That points away from a network volume 
issue in FC7. The NFS uses TCP not UDP for reasons not related to hanging.

Final thought, I use blowfish encryption, but a fail in ssh/sshd 
wouldn't stop a system in any case.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-list mailing list