[c-nsp] Strange SSH lag with ACL applied

Larry Smith lesmith at ecsis.net
Wed Jan 6 21:18:20 EST 2010 

On Wed January 6 2010 19:02, Andy Saykao wrote:
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224
>  ip access-group VLAN2-FILTER-OUT out
>  no ip redirects
>  no ip mroute-cache
>  ip ospf priority 15
>  load-interval 30
>  tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
>  permit ip host 203.10.110.x host 203.12.53.x
>  permit ip host 203.10.110.y host 203.12.53.x
>  permit ip host 203.10.110.z host 203.12.53.x
>  permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
>  permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
>  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
>  permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy

Possibly a "typo" but your ACL says it is named VLAN1-FILTER-OUT
(note VLAN1) and you are applying an ACL named VLAN2-FILTER-OUT

In your second try (permit ip host 210.15.210.x host 203.12.53.x log)
what did the log entries say??

-- 
Larry Smith
lesmith at ecsis.net

More information about the cisco-nsp mailing list