我正在尝试诊断 SSH 连接超时的原因。
我有两个 OSX 机箱,它们可以通过 SSH 顺利连接到远程服务器。
我有两个 ubuntu 盒子,在同一个网络和子网上,每次尝试通过 SSH 进入服务器时都会超时。
这两个 ubuntu 盒子可以通过 SSH 连接到许多其他服务器,但不能连接到此服务器上的任何域。这是一台 cPanel 服务器,同一台服务器上有多个站点。
tcptraceroute 的输出
~$ sudo tcptraceroute example.com.au
traceroute to example.com.au (223.130.25.70), 30 hops max, 60 byte packets
1 192.168.1.254 (192.168.1.254) 37.196 ms 37.179 ms 37.160 ms
2 172.18.113.43 (172.18.113.43) 23.195 ms 25.822 ms 24.850 ms
3 * * *
4 172.18.243.105 (172.18.243.105) 31.476 ms * *
5 bundle-ether10.pie10.perth.telstra.net (110.142.134.205) 38.013 ms * *
6 * * *
7 * * *
8 * * tengigabitethernet9-1.wel19.perth.telstra.net (203.50.115.157) 23.386 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * ipll-5016775.gw.aapt.com.au (203.174.177.26) 93.951 ms 94.883 ms
18 * * *
19 * * *
20 * * *
21 ve101.rn-400harris-cer-01.pipenetworks.com (121.101.138.213) 84.761 ms 86.856 ms
91.565 ms
22 ip-134-153-161-203.static.pipenetworks.com (203.161.153.134) 105.421 ms 106.249 ms
106.258 ms
23 ge-0-1-40-1-mel.as45638.net.au (112.140.177.254) 92.756 ms 94.176 ms 95.147 ms
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
只有在前往有问题的服务器时,路由器之间的 ping 似乎才会变慢。如果我直接 ping 路由器,那就没问题了。例如
~$ ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_req=1 ttl=64 time=0.610 ms
64 bytes from 192.168.1.254: icmp_req=2 ttl=64 time=0.275 ms
64 bytes from 192.168.1.254: icmp_req=3 ttl=64 time=0.298 ms
64 bytes from 192.168.1.254: icmp_req=4 ttl=64 time=0.266 ms
防火墙没有阻止任何东西。
~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
根据要求添加了 tcpdump 输出。
~$ sudo tcpdump -vv -n host 223.130.25.70
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:16:47.638574 IP (tos 0x0, ttl 64, id 11947, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.48268 > 223.130.25.70.2683: Flags [S], cksum 0xbb03 (incorrect -> 0x39bc), seq 3990493292, win 14600, options [mss 1460,sackOK,TS val 374421191 ecr 0,nop,wscale 7], length 0
18:16:48.637914 IP (tos 0x0, ttl 64, id 11948, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.48268 > 223.130.25.70.2683: Flags [S], cksum 0xbb03 (incorrect -> 0x38c2), seq 3990493292, win 14600, options [mss 1460,sackOK,TS val 374421441 ecr 0,nop,wscale 7], length 0
18:16:50.641915 IP (tos 0x0, ttl 64, id 11949, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.48268 > 223.130.25.70.2683: Flags [S], cksum 0xbb03 (incorrect -> 0x36cd), seq 3990493292, win 14600, options [mss 1460,sackOK,TS val 374421942 ecr 0,nop,wscale 7], length 0
18:16:54.649912 IP (tos 0x0, ttl 64, id 11950, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.48268 > 223.130.25.70.2683: Flags [S], cksum 0xbb03 (incorrect -> 0x32e3), seq 3990493292, win 14600, options [mss 1460,sackOK,TS val 374422944 ecr 0,nop,wscale 7], length 0
18:17:02.665920 IP (tos 0x0, ttl 64, id 11951, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.48268 > 223.130.25.70.2683: Flags [S], cksum 0xbb03 (incorrect -> 0x2b0f), seq 3990493292, win 14600, options [mss 1460,sackOK,TS val 374424948 ecr 0,nop,wscale 7], length 0
18:17:18.713918 IP (tos 0x0, ttl 64, id 11952, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.48268 > 223.130.25.70.2683: Flags [S], cksum 0xbb03 (incorrect -> 0x1b63), seq 3990493292, win 14600, options [mss 1460,sackOK,TS val 374428960 ecr 0,nop,wscale 7], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
看来上述校验和错误是由于校验和卸载造成的,所以我在这里再次发布没有错误的输出。
$# tcpdump -vv -K -n dst host 223.130.25.70
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:02:48.348594 IP (tos 0x0, ttl 64, id 46577, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.59820 > 223.130.25.70.2683: Flags [S], seq 2943223161, win 14600, options [mss 1460,sackOK,TS val 351711368 ecr 0,nop,wscale 7], length 0
17:02:49.345912 IP (tos 0x0, ttl 64, id 46578, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.59820 > 223.130.25.70.2683: Flags [S], seq 2943223161, win 14600, options [mss 1460,sackOK,TS val 351711618 ecr 0,nop,wscale 7], length 0
17:02:51.349914 IP (tos 0x0, ttl 64, id 46579, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.59820 > 223.130.25.70.2683: Flags [S], seq 2943223161, win 14600, options [mss 1460,sackOK,TS val 351712119 ecr 0,nop,wscale 7], length 0
17:02:55.353915 IP (tos 0x0, ttl 64, id 46580, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.59820 > 223.130.25.70.2683: Flags [S], seq 2943223161, win 14600, options [mss 1460,sackOK,TS val 351713120 ecr 0,nop,wscale 7], length 0
17:03:03.369916 IP (tos 0x0, ttl 64, id 46581, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.59820 > 223.130.25.70.2683: Flags [S], seq 2943223161, win 14600, options [mss 1460,sackOK,TS val 351715124 ecr 0,nop,wscale 7], length 0
17:03:19.417916 IP (tos 0x0, ttl 64, id 46582, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.100.59820 > 223.130.25.70.2683: Flags [S], seq 2943223161, win 14600, options [mss 1460,sackOK,TS val 351719136 ecr 0,nop,wscale 7], length 0
关于如何尝试追踪此问题,有什么建议吗?
答案1
首先尝试一下:(在客户端)
打开/etc/ssh/ssh_config 并添加以下行:
ServerAliveInterval 60
这将每 60 秒向您的远程主机发送一次保持活动消息。
如果这不起作用,你可以减少时间。
另一种方法(不像第一种方法那么安全)在服务器上,打开/etc/ssh/ssh_config 如果不存在则创建
并添加:
Host *
ServerAliveInterval 240
240 是主机保持 SSH 会话活动的秒数。240
秒后,它将关闭会话。0
表示不保持活动
正如我所说的,最好的做法是让你的客户端继续工作,同时让你的服务器保持紧密。
答案2
尝试禁用一些身份验证方法,例如:
echo "GSSAPIAuthentication no" > /home/`whoami`/.ssh/config