7

I have set up a few 100 embedded boxes to contact HQ by opening up reverse ssh tunnels, each under a new port. This is mostly working fine, but today I encountered a problem with using the tunnel through a low bandwidth (or low quality?) GPRS connection.

The remote machine opening up the tunnel is connected to the inter via a (so far unknown) 3G router which probably only has a GPRS, an EDGE connection at best.

Logged in to my machine I can see the incoming ssh connection on it's port 1234:

me@machine:~$ sudo nmap -sS -p 1234 --open localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2014-11-27 15:27 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1
PORT     STATE SERVICE
1234/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
me@machine:~$

Now, trying to open the ssh connection I get a Connection timed out error:

me@machine:~$ ssh -vp 1234 localhost
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [::1] port 1234.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/cts/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/cts/.ssh/id_rsa-cert type -1
debug1: identity file /home/cts/.ssh/id_dsa type -1
debug1: identity file /home/cts/.ssh/id_dsa-cert type -1
debug1: identity file /home/cts/.ssh/id_ecdsa type -1
debug1: identity file /home/cts/.ssh/id_ecdsa-cert type -1
Connection timed out during banner exchange
me@machine:~$

Other ports work fine, as did this one when it was (verified) connected to a 3G network.

I tried something that sometimes helps when doing this over satellite connections - ssh -o "ConnectTimeout 99" -o "ServerAliveCountMax 5" -vp 1234 localhost but that didn't help either.

I assume this has something to do with either
a) the wireless provider filtering something on his GPRS network he does not on his 3G network
or
b) the bad latency of the GPRS connection f***ing up my tunnel.

Anyone have an idea of how to tackle this situation or get a better understanding of what is going on (or, rather, not going on) here? Adding more vs to the command doesn't show any more debug output, btw.

Christian
  • 211

2 Answers2

4

The Connection timed out during banner exchange error message may indicate network issues. If you see a socket is established using netstat on both the server and the client, there may be a firewall or packet inspection device that is preventing the SSH connection from being established. We have seen this issue on a system that was behind a protected network and the firewall rules were not configured properly. The firewall was also dropping any connection that tried to initiate an HTTP/1.1 request, which was confirmed using netcat to simulate a web server and connect to it using netcat. When we changed the response to HTTP/1.2 it let the response thru, indicating something in the network layer was inspecting requests and applying filtering rules against them.

Other low level networking issues like MTU/Jumbo frames issues or high packet loss could also cause the problem.

Greg Bray
  • 5,740
-3

If your firewall (e.g. on a jump host) is using knockd simply try to increase Cmd_Timeout: https://linux.die.net/man/1/knockd

Timm
  • 41