[c-nsp] Strange SSH lag with ACL applied

Brandon Applegate brandon at burn.net
Wed Jan 6 21:53:14 EST 2010 

Sounds like your SSH server is trying to reverse resolve your IP (for 
logging).  You can either fix your ACL to allow this DNS traffic, or there 
is a global config (UseDNS no) you can put in sshd_config.  Worth a shot 
to test at least.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."


On Thu, 7 Jan 2010, Andy Saykao wrote:

> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
> ip address 203.12.53.aaa 255.255.255.224
> ip access-group VLAN2-FILTER-OUT out
> no ip redirects
> no ip mroute-cache
> ip ospf priority 15
> load-interval 30
> tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
> permit ip host 203.10.110.x host 203.12.53.x
> permit ip host 203.10.110.y host 203.12.53.x
> permit ip host 203.10.110.z host 203.12.53.x
> permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
> permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
> deny   ip any host 203.12.53.x
> permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list