[c-nsp] Strange SSH lag with ACL applied
Gert Doering
gert at greenie.muc.de
Thu Jan 7 02:30:06 EST 2010
Hi,
On Thu, Jan 07, 2010 at 12:02:48PM +1100, Andy Saykao wrote:
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
Seems you've killed DNS from Host B.
Rule #1 with ACLs: if you can't figure out why it's affecting stuff, put
a "deny ip any any log" at the end, and look at the log to see what is
being dropped.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100107/de055440/attachment.bin>
More information about the cisco-nsp
mailing list