[c-nsp] [Resolved] Strange SSH lag with ACL applied

Andy Saykao andy.saykao at staff.netspace.net.au
Wed Jan 6 22:20:00 EST 2010


Thanks to all those that replied.

It was exactly a reverse dns issue. I didn't know that SSH performed a
reverse dns on the incoming IP.

And silly me did not have our dns servers in the ACL.

Cheers.

Andy 

-----Original Message-----
From: Andrew Hoyos [mailto:ahoyos at xiocom.com] 
Sent: Thursday, 7 January 2010 2:16 PM
To: Andy Saykao; cisco-nsp at puck.nether.net
Subject: RE: Strange SSH lag with ACL applied

>From Host A, is traffic allowed to your DNS servers in your ACL?

If not, the delay might be a reverse DNS lookup timing out.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> bounces at puck.nether.net] On Behalf Of Andy Saykao
> Sent: Wednesday, January 06, 2010 7:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange SSH lag with ACL applied
>
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's 
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external 
> IP's from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to 
> VLAN2, it takes a very long time for the SSH login promtp to appear. 
> If I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's 
> going on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
>  ip address 203.12.53.aaa 255.255.255.224  ip access-group 
> VLAN2-FILTER-OUT out  no ip redirects  no ip mroute-cache  ip ospf 
> priority 15  load-interval 30  tag-switching ip !
> ip access-list extended VLAN1-FILTER-OUT  permit ip host 203.10.110.x 
> host 203.12.53.x  permit ip host 203.10.110.y host 203.12.53.x  permit

> ip host 203.10.110.z host 203.12.53.x  permit ip 172.16.50.0 0.0.0.255

> host 203.12.53.x  permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x  
> permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x  permit ip 
> 203.17.101.0 0.0.0.255 host 203.12.53.x  permit ip 210.15.210.0 
> 0.0.0.255 host 203.12.53.x  permit ip 203.17.96.0 0.0.0.255 host 
> 203.12.53.x  permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x  permit

> ip 172.16.9.0 0.0.0.255 host 203.12.53.x
>  deny   ip any host 203.12.53.x
>  permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the 
> very first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like 
> so, but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.



More information about the cisco-nsp mailing list