making a tcp connection takes a long time
Hi all, we have a 192.168.0/24- and a 192.168.3/24-subnet here. They are linked to each other with two ethernet-routers, between these routers there is another network 192.168.2/24. Okay, the net between the routers doesn't have to be that big at all but it made setting up the routers easier. When we do a ssh-, telnet-, ftp-, ldap- or anything except a smb- or a http- connection between these subnets there is almost always a enormous delay before the connection is established (one minute or more). It takes no matter if a hostname or a IP-address ist used. But ICMP-Pakets just go fine. I think only TCP-pakets are affected and I'm not really sure, but this phenomom seems to happen only when connecting to SuSE-hosts (Most of our hosts are SuSE based but I set up some workstations with a floppy-distribution on boths subnets and connecting to them was just fine everytime I tried ist, doing ssh to the routers is also fine). Are there any parameters to set to make this configuration work? Disable Proctection for IP-Spoofing maybe? At the end of this mail I put the routing tables of the routers and the output of some traceroutes from one subnet to the other. thank you for having a look at this! Dirk Festerling - Bereich IT - Hotset Heizpatronen und Zubehör GmbH, Wefelshohler Str. 48, 58511 Lüdenscheid Tel: +49 2351 4302-601 Fax: +49 2351 4302-611 eMail: DFesterling@hotset.de ------------------------------------------ ping and traceroute do fine: 192.168.0.23# traceroute -n 192.168.3.2 traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 40 byte packets 1 192.168.0.158 1 ms 1 ms 0 ms 2 192.168.2.1 1 ms 1 ms 1 ms 3 192.168.3.2 2 ms 1 ms 1 ms 192.168.3.2# traceroute -n 192.168.0.23 traceroute to 192.168.0.23 (192.168.0.23), 30 hops max, 40 byte packets 1 192.168.3.1 1 ms 1 ms 1 ms 2 192.168.2.2 1 ms 1 ms 1 ms 3 192.168.0.23 2 ms 2 ms 2 ms the routing tables on the routers show up like this: 192.168.0.158# route -n Kernel routing table Destination Gateway Genmask Flags MSS Window Use Iface 192.168.3.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth1 192.168.2.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo 192.168.3.1# route -n Destination Gateway Genmask Flags MSS Window Use Iface 192.168.3.0 * 255.255.255.0 U 0 0 0 eth1 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 192.168.0.0 192.168.2.2 255.255.255.0 UG 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
When we do a ssh-, telnet-, ftp-, ldap- or anything except a smb- or a http- connection between these subnets there is almost always a enormous delay before the connection is established (one minute or more). This is a typical DNS problem. Most programs (sshd, telnetd, etc.) check the existence and validity of a hostname (reverse lookup & lookup). You can either run your own DNS server or put every hostname in the /etc/hosts of every machine. It takes no matter if a hostname or a IP-address ist used. But ICMP-Pakets just go fine. This is, because ping doesn't lookup the host name if you give it an IP address. I think only TCP-pakets are affected and I'm not really sure, but this phenomom seems to happen only when connecting to SuSE-hosts (Most of our hosts are SuSE based but I set up some workstations with a floppy-distribution on boths subnets and connecting to them was just fine everytime I tried ist, doing ssh to the routers is also fine). This is because most floppy distributions have no dns support, since it isn't that necessary in this area (and not so common, too).
hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Wow, for testing purposes I added a the hostname of 192.168.3.2 to /etc/hosts of 192.168.0.158 - and everything was fast as lightning. There is a DNS server running but only servers are listed here - so I guess I have to put up entries for the DHCP-clients too... thank you all! Dirk Festerling - Bereich IT - Hotset Heizpatronen und Zubehör GmbH, Wefelshohler Str. 48, 58511 Lüdenscheid Tel: +49 2351 4302-601 Fax: +49 2351 4302-611 eMail: DFesterling@hotset.de
-----Ursprüngliche Nachricht----- Von: suse-security-return-6568-DFesterling=hotset.de@ns2.suse.com [mailto:suse-security-return-6568-DFesterling=hotset.de@ns2.suse.com]Im Auftrag von Markus Gaugusch Gesendet am: Dienstag, 10. April 2001 08:15 An: Dirk Festerling Cc: suse-security@suse.com Betreff: Re: [suse-security] making a tcp connection takes a long time
When we do a ssh-, telnet-, ftp-, ldap- or anything except a smb- or a http- connection between these subnets there is almost always a enormous delay before the connection is established (one minute or more). This is a typical DNS problem. Most programs (sshd, telnetd, etc.) check the existence and validity of a hostname (reverse lookup & lookup). You can either run your own DNS server or put every hostname in the /etc/hosts of every machine. It takes no matter if a hostname or a IP-address ist used. But ICMP-Pakets just go fine. This is, because ping doesn't lookup the host name if you give it an IP address. I think only TCP-pakets are affected and I'm not really sure, but this phenomom seems to happen only when connecting to SuSE-hosts (Most of our hosts are SuSE based but I set up some workstations with a floppy-distribution on boths subnets and connecting to them was just fine everytime I tried ist, doing ssh to the routers is also fine). This is because most floppy distributions have no dns support, since it isn't that necessary in this area (and not so common, too).
hth Markus
-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Dirk Festerling -
Markus Gaugusch