{"id":8320,"date":"2006-07-17T14:36:00","date_gmt":"2006-07-17T18:36:00","guid":{"rendered":"https:\/\/nuxx.net\/blog\/2006\/07\/17\/networking-problem\/"},"modified":"2026-07-01T11:34:36","modified_gmt":"2026-07-01T15:34:36","slug":"networking-problem","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2006\/07\/17\/networking-problem\/","title":{"rendered":"Networking Problem"},"content":{"rendered":"<p>I&#8217;m having a bit of a ssh \/ networking problem. It&#8217;s really confusing me.<\/p>\n<p>If you would like to read about it and hopefully help me solve it, please do. I&#8217;ll break sections of info up with hr&#8217;s.<br \/>\n<!--more--><\/p>\n<hr \/>\n<p>First off, there are three machines which I&#8217;ll mention here:<\/p>\n<blockquote><p>&middot; <tt>jawbreaker.dreamhost.com<\/tt> at <tt>208.113.141.20<\/tt>, known as <tt>jawbreaker<\/tt>, and is shared box at a managed hosting facility.<br \/>\n&middot; <tt>home.nuxx.net<\/tt> at <tt>68.60.175.29<\/tt>, known as <tt>home<\/tt>, has no packet filter rules loaded, and is connected directly to a Comcast cable modem.<br \/>\n&middot; <tt>rez.nuxx.net<\/tt> at <tt>204.11.33.41<\/tt>, known as <tt>rez<\/tt>, is colocated in Troy, MI, and is connected directly to a live, unfiltered connection.<\/p><\/blockquote>\n<p>I will also occasionally connect from <tt>work<\/tt>, which is via a tunnel through an HTTP proxy which has no inbound connection.<\/p>\n<hr \/>\n<p>Here are the symptoms I&#8217;m seeing:<\/p>\n<blockquote><p>&middot; I can freely SSH from <tt>work<\/tt> to <tt>jawbreaker<\/tt>, <tt>home<\/tt>, and <tt>rez<\/tt>.<br \/>\n&middot; I can freely SSH from <tt>rez<\/tt> to <tt>home<\/tt> and <tt>jawbreaker<\/tt>.<br \/>\n&middot; I can freely SSH from <tt>jawbreaker<\/tt> to <tt>home<\/tt> and <tt>rez<\/tt>.<br \/>\n&middot; I can freely SSH from <tt>home<\/tt> to <tt>rez<\/tt>.<br \/>\n&middot; I <em><strong>cannot<\/strong><\/em> SSH from <tt>home<\/tt> to <tt>jawbreaker<\/tt>.<\/p><\/blockquote>\n<p>&middot; Other protocols, such as HTTP, HTTPS, POP3, SMTP all work between <tt>home<\/tt> and <tt>jawbreaker<\/tt> just fine.<\/p>\n<hr \/>\n<p>I first noticed the problem when running a script to use <tt>rsync<\/tt> tunneled through <tt>ssh<\/tt> to back up all of my users on <tt>dreamhost<\/tt>. This was running successfully overnight, but after finishing one user at around 03:51 EDT on 16-Jul-2006 things stopped working.<\/p>\n<hr \/>\n<p>I have made no changes, and I was told by support over at <a href=\"http:\/\/www.dreamhost.com\">DreamHost<\/a> that there is no entry in the <tt>hosts.deny<\/tt> for the IP of <tt>home<\/tt>, <tt>68.60.175.29<\/tt>.<\/p>\n<hr \/>\n<p>The issue occurs whether &#8220;TCP window increasing&#8221; on <tt>home<\/tt> is disabled (<tt>sysctl -w net.inet.tcp.rfc3390=0<\/tt>) or not.<\/p>\n<p>TCP window scaling is disabled on <tt>jawbreaker<\/tt>:<\/p>\n<blockquote><p><tt>jawbreaker:~> cat \/proc\/sys\/net\/ipv4\/tcp_default_win_scale<br \/>\n0<br \/>\njawbreaker:~> <\/tt><\/p><\/blockquote>\n<p>I checked these things because of <a href=\"http:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=267342\">this reported Debian bug<\/a> which doesn&#8217;t seem especially related, but I figured I&#8217;d look anyway.<\/p>\n<hr \/>\n<p>This issue is reproducable when trying to connect to multiple user accounts on <tt>jawbreaker<\/tt> and from multiple machines at home, both <tt>home<\/tt> itself all machines to which it provides internet access via NAT. Note that all detailed troubleshooting was done directly from <tt>home<\/tt> itself with all NAT and packet filtering disabled.<\/p>\n<hr \/>\n<p>Now the output I see from <tt>ssh -vvv c0nsumer@jawbreaker.dreamhost.com<\/tt> is as follows:<\/p>\n<blockquote><p><tt>-bash-3.1$ ssh -vvv c0nsumer@jawbreaker.dreamhost.com<br \/>\nOpenSSH_4.3, OpenSSL 0.9.7g 11 Apr 2005<br \/>\ndebug1: Reading configuration data \/etc\/ssh\/ssh_config<br \/>\ndebug2: ssh_connect: needpriv 0<br \/>\ndebug1: Connecting to jawbreaker.dreamhost.com [208.113.141.20] port 22.<br \/>\ndebug1: Connection established.<br \/>\ndebug1: identity file \/home\/c0nsumer\/.ssh\/identity type -1<br \/>\ndebug1: identity file \/home\/c0nsumer\/.ssh\/id_rsa type -1<br \/>\ndebug1: identity file \/home\/c0nsumer\/.ssh\/id_dsa type -1<br \/>\nssh_exchange_identification: Connection closed by remote host<\/tt><\/p><\/blockquote>\n<hr \/>\n<p>&middot; All SSH keys on both ends have been removed from appropriate <tt>~\/.ssh<\/tt> directories and multiple usernames have been tried.<\/p>\n<hr \/>\n<p>Attempting to connct to a completely non-existant username on the server fails as well. The user is never prompted to accept the new host key:<\/p>\n<blockquote><p><tt>-bash-3.1$ ssh testuserwhichshouldntexistatall@jawbreaker.dreamhost.com<br \/>\nssh_exchange_identification: Connection closed by remote host<br \/>\n-bash-3.1$<\/tt><\/p><\/blockquote>\n<hr \/>\n<p>&middot; <tt>home<\/tt> is running OpenBSD 3.9 without <tt>pf<\/tt> and with the shipping kernel.<br \/>\n&middot; <tt>jawbreaker<\/tt> is running: <tt>Linux jawbreaker 2.4.32-grsec+f6b+gr217+nfs+a32+fuse23+++opt+c6+gr2b-v6.192 #1 SMP Wed Dec 14 17:06:16 PST 2005 i686 GNU\/Linux<\/tt>.<\/p>\n<hr \/>\n<p>Here is a traceroute from <tt>home<\/tt> to <tt>jawbreaker<\/tt>:<\/p>\n<blockquote><p><tt># traceroute jawbreaker.dreamhost.com<br \/>\ntraceroute to jawbreaker.dreamhost.com (208.113.141.20), 64 hops max, 40 byte packets<br \/>\n 1  * * *<br \/>\n 2  ge-2-1-ur03.macomb.mi.michigan.comcast.net (68.86.120.117)  16.132 ms  11.747 ms  11.594 ms<br \/>\n 3  te-9-1-ur02.sterlinghub.mi.michigan.comcast.net (68.87.190.254)  19.257 ms  12.22 ms  11.844 ms<br \/>\n 4  te-9-4-ur03.sterlinghub.mi.michigan.comcast.net (68.87.191.2)  16.701 ms  12.409 ms  26.386 ms<br \/>\n 5  te-9-1-ur02.warren1.mi.michigan.comcast.net (68.87.191.6)  16.41 ms  12.951 ms  38.499 ms<br \/>\n 6  te-9-4-ur03.warren1.mi.michigan.comcast.net (68.87.191.10)  30.742 ms  12.651 ms  12.459 ms<br \/>\n 7  te-9-1-ur02.royaloak.mi.michigan.comcast.net (68.87.191.14)  29.955 ms  13.359 ms  13.726 ms<br \/>\n 8  te-9-2-ur03.royaloak.mi.michigan.comcast.net (68.87.191.18)  18.200 ms  36.832 ms  14.443 ms<br \/>\n 9  te-9-1-ur02.rochesterhlls.mi.michigan.comcast.net (68.87.191.22)  18.975 ms  13.789 ms  13.674 ms<br \/>\n10  te-9-1-ur02.auburnhills.mi.michigan.comcast.net (68.87.191.26)  21.968 ms  13.650 ms  14.102 ms<br \/>\n11  te-9-1-ar02.pontiac.mi.michigan.comcast.net (68.87.191.30)  19.882 ms  14.50 ms  14.155 ms<br \/>\n12  pos-6-1-ar01.pontiac.mi.michigan.comcast.net (68.87.191.165)  30.622 ms  22.374 ms  12.877 ms<br \/>\n13  12.116.16.25 (12.116.16.25)  26.569 ms  20.704 ms  19.463 ms<br \/>\n14  tbr2032901.cgcil.ip.att.net (12.123.4.238)  70.520 ms  66.947 ms  79.192 ms<br \/>\n15  tbr2-cl7.sl9mo.ip.att.net (12.122.10.46)  74.259 ms  93.523 ms  68.248 ms<br \/>\n16  tbr2-cl21.la2ca.ip.att.net (12.122.10.14)  72.703 ms  68.30 ms  80.93 ms<br \/>\n17  gar1-p3100.lsnca.ip.att.net (12.123.199.229)  71.31 ms  67.786 ms  84.23 ms<br \/>\n18  12.119.138.66 (12.119.138.66)  70.535 ms  67.61 ms  119.277 ms<br \/>\n19  border1.po1-bbnet1.ext1a.lax.pnap.net (216.52.255.31)  86.158 ms  66.103 ms  69.94 ms<br \/>\n20  newdream-1.border1.ext1a.lax.pnap.net (216.52.220.78)  72.42 ms  65.867 ms  67.859 ms<br \/>\n21  jawbreaker.dreamhost.com (208.113.141.20)  99.638 ms  67.68 ms  66.781 ms<\/tt><\/p><\/blockquote>\n<p>Here is a traceroute from <tt>jawbreaker<\/tt> to <tt>home<\/tt>:<\/p>\n<blockquote><p><tt>jawbreaker:~> traceroute home.nuxx.net<br \/>\ntraceroute to home.nuxx.net (68.60.175.29), 30 hops max, 38 byte packets<br \/>\n 1  gw-208-113-128-1 (208.113.128.1)  0.374 ms  0.330 ms  0.286 ms<br \/>\n 2  border1.g3-5.newdream-1.ext1a.lax.pnap.net (216.52.220.77)  0.272 ms  0.229 ms  0.268 ms<br \/>\n 3  core3.t2-2-bbnet2.lax.pnap.net (216.52.255.67)  95.864 ms  3.780 ms  202.082 ms<br \/>\n 4  12.119.138.65 (12.119.138.65)  0.352 ms  0.419 ms  0.336 ms<br \/>\n 5  tbr2-p013101.la2ca.ip.att.net (12.123.199.230)  48.256 ms  48.507 ms  48.592 ms<br \/>\n 6  tbr2-cl21.sl9mo.ip.att.net (12.122.10.13)  47.738 ms  48.064 ms  48.390 ms<br \/>\n 7  tbr2-cl7.cgcil.ip.att.net (12.122.10.45)  48.313 ms  47.864 ms  47.980 ms<br \/>\n 8  gar4-p390.cgcil.ip.att.net (12.123.6.14)  47.141 ms  46.832 ms  47.465 ms<br \/>\n 9  12.118.239.42 (12.118.239.42)  53.263 ms  53.205 ms  53.169 ms<br \/>\n10  pos-2-1-ar02.pontiac.mi.michigan.comcast.net (68.87.191.166)  52.850 ms  52.797 ms  52.795 ms<br \/>\n11  te-9-2-ur02.auburnhills.mi.michigan.comcast.net (68.87.191.29)  53.859 ms  53.768 ms  53.816 ms<br \/>\n12  te-9-2-ur02.rochesterhlls.mi.michigan.comcast.net (68.87.191.25)  54.144 ms  53.967 ms  53.914 ms<br \/>\n13  te-9-1-ur03.royaloak.mi.michigan.comcast.net (68.87.191.21)  54.695 ms  54.884 ms  54.742 ms<br \/>\n14  te-9-2-ur02.royaloak.mi.michigan.comcast.net (68.87.191.17)  -1531.895 ms  54.341 ms  54.341 ms<br \/>\n15  te-9-1-ur03.warren1.mi.michigan.comcast.net (68.87.191.13)  54.607 ms  54.566 ms  54.593 ms<br \/>\n16  te-9-4-ur02.warren1.mi.michigan.comcast.net (68.87.191.9)  54.405 ms  54.275 ms  54.252 ms<br \/>\n17  te-9-1-ur03.sterlinghub.mi.michigan.comcast.net (68.87.191.5)  54.275 ms  54.201 ms  54.265 ms<br \/>\n18  te-9-4-ur02.sterlinghub.mi.michigan.comcast.net (68.87.191.1)  54.296 ms  54.277 ms  54.413 ms<br \/>\n19  te-9-1-ur03.macomb.mi.michigan.comcast.net (68.87.190.253)  54.825 ms  54.893 ms  54.856 ms<br \/>\n20  * * *<br \/>\n21  c-68-60-175-29.hsd1.mi.comcast.net (68.60.175.29)  75.717 ms  62.029 ms  62.405 ms<\/tt><\/p><\/blockquote>\n<p>Here is the <a href=\"http:\/\/michael.toren.net\/code\/tcptraceroute\/\">tcptraceroute<\/a> output connecting from <tt>home<\/tt> to <tt>jawbreaker<\/tt> via port 22 (SSH):<\/p>\n<blockquote><p><tt># tcptraceroute jawbreaker.dreamhost.com 22<br \/>\nSelected device fxp0, address 68.60.175.29, port 11734 for outgoing packets<br \/>\nTracing the path to jawbreaker.dreamhost.com (208.113.141.20) on TCP port 22, 30 hops max<br \/>\n 1  * * *<br \/>\n 2  ge-2-1-ur03.macomb.mi.michigan.comcast.net (68.86.120.117)  13.499 ms  10.856 ms  24.718 ms<br \/>\n 3  te-9-1-ur02.sterlinghub.mi.michigan.comcast.net (68.87.190.254)  35.414 ms  12.855 ms  24.947 ms<br \/>\n 4  te-9-4-ur03.sterlinghub.mi.michigan.comcast.net (68.87.191.2)  12.240 ms  12.372 ms  62.391 ms<br \/>\n 5  te-9-1-ur02.warren1.mi.michigan.comcast.net (68.87.191.6)  13.717 ms  13.378 ms  15.417 ms<br \/>\n 6  te-9-4-ur03.warren1.mi.michigan.comcast.net (68.87.191.10)  23.959 ms  12.563 ms  12.578 ms<br \/>\n 7  te-9-1-ur02.royaloak.mi.michigan.comcast.net (68.87.191.14)  37.649 ms  12.883 ms  26.065 ms<br \/>\n 8  te-9-2-ur03.royaloak.mi.michigan.comcast.net (68.87.191.18)  35.619 ms  12.960 ms  26.129 ms<br \/>\n 9  te-9-1-ur02.rochesterhlls.mi.michigan.comcast.net (68.87.191.22)  13.028 ms  12.907 ms  18.709 ms<br \/>\n10  te-9-1-ur02.auburnhills.mi.michigan.comcast.net (68.87.191.26)  14.315 ms  13.827 ms  13.773 ms<br \/>\n11  te-9-1-ar02.pontiac.mi.michigan.comcast.net (68.87.191.30)  14.012 ms  14.944 ms  12.863 ms<br \/>\n12  pos-6-1-ar01.pontiac.mi.michigan.comcast.net (68.87.191.165)  16.173 ms  12.604 ms  18.535 ms<br \/>\n13  12.116.16.25 (12.116.16.25)  32.703 ms  22.959 ms  20.496 ms<br \/>\n14  tbr2032901.cgcil.ip.att.net (12.123.4.238)  67.933 ms  79.263 ms  66.734 ms<br \/>\n15  tbr2-cl7.sl9mo.ip.att.net (12.122.10.46)  76.101 ms  82.298 ms  66.611 ms<br \/>\n16  tbr2-cl21.la2ca.ip.att.net (12.122.10.14)  84.126 ms  79.689 ms  69.245 ms<br \/>\n17  gar1-p3100.lsnca.ip.att.net (12.123.199.229)  66.972 ms  78.704 ms  66.304 ms<br \/>\n18  12.119.138.66 (12.119.138.66)  98.005 ms  164.422 ms  194.164 ms<br \/>\n19  border1.po1-bbnet1.ext1a.lax.pnap.net (216.52.255.31)  67.800 ms  67.176 ms  79.373 ms<br \/>\n20  newdream-1.border1.ext1a.lax.pnap.net (216.52.220.78)  66.434 ms  90.888 ms  67.048 ms<br \/>\n21  jawbreaker.dreamhost.com (208.113.141.20) [open]  90.653 ms  67.222 ms  83.555 ms<br \/>\n<\/tt><\/p><\/blockquote>\n<hr \/>\n<p>The next steps I&#8217;m going to try are to replace the OpenBSD machine <tt>home<\/tt> with a Windows XP box and try SSHing out. If I can then connect, it&#8217;s a problem with OpenBSD on <tt>home<\/tt> and it&#8217;s interaction with <tt>jawbreaker<\/tt>. If it does not work, it&#8217;s likely either a Comcast or AT&#038;T problem. <em>Those<\/em> should be fun to sort out. :\\<\/p>\n<hr \/>\n<p>Problem is somewhat solved. I swapped interfaces on the firewall forcing an IP change. My old IP was <tt>68.60.175.29<\/tt> and my new one is <tt>68.43.131.193<\/tt>. And now things work. So, either it&#8217;s odd Comcast dealings, or it really was something being blocked at the ISP. Either way, it&#8217;s really screwey. Maybe I&#8217;ll dig into it some more tomorrow. For now I need sleep.<\/p>\n<p><strong>UPDATE:<\/strong> Problem kinda solved. Check below the cut for details.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;m having a bit of a ssh \/ networking problem. It&#8217;s really confusing me. If you would like to read about it and hopefully help me solve it, please do. I&#8217;ll break sections of info up with hr&#8217;s.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,34],"tags":[],"class_list":["post-8320","post","type-post","status-publish","format-standard","hentry","category-computers","category-moved-from-livejournal"],"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8320","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=8320"}],"version-history":[{"count":1,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8320\/revisions"}],"predecessor-version":[{"id":13309,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/8320\/revisions\/13309"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=8320"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=8320"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=8320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}