SSH connections dropping after two or so lines
Before you start, make sure that the system time at both ends are synchronized. This helps with the comparison later.
Run tcpdump
at both ends, filtered for TCP port 22. You mention that the client is using PuTTY so I assume Windows. You can get wireshark for Windows and it has a capture capability that you can use in place of tcpdump
.
Using tcpdump
, you would do this with something like: tcpdump -w/tmp/ssh.pcap -s0 -ieth0 port 22
. With wireshark on Windows, you can set up a capture filtered for port 22 using the GUI, and then save the capture to disk.
Now open up both captures with wireshark. Find the point of disconnection. You should be able to see which end initiated the connection shutdown (where does a FIN or RST connection arrive from first?)
You can also check to see if a third party host (eg. a router, or an ISP) is interfering with the connection. You'll identify this if you spot a packet arriving that was never sent from the other side, for example. If this is happening, it is likely to be an RST packet.
nanofarad
Updated on September 18, 2022Comments
-
nanofarad over 1 year
I'm actually having a bit of an odd problem. I'm running Ubuntu Server 12.04, with a minimal set of packages: The base system, sshd, and an IRC server. I must allow someone else to configure the server to connect to their IRC network. However, they seem to be dropping after two lines of ls or cat.
Odder, this only happens on this server, and I haven't been able to reproduce it at all using PuTTY or an ssh client. Where should I look to diagnose this?
auth.log
shows a normal connection and authentication and does not give any details about the drop. fail2ban has no violations with the originating IP address.This is a virtual machine with a forwarded port(it is bridge mode and has normal network connectivity). I can connect locally, across the LAN, and from a remote location with PuTTY without any problems. The other person can connect using
ssh
on Linux but encounters the connection dropping.Server-side logs show nothing out of the ordinary.
-
Admin almost 11 yearsTry connecting with the -vvv option
ssh -vvv user@server
-
Admin almost 11 years@bodhi.zazen and other commenters: I'm working with someone else that's having this issue so I'll respond as soon as I know.
-
Admin almost 11 years-vvv appears to show normal output, and it drops without warning or complaint.
-
Admin almost 11 yearsIs "someone else" connecting from the Internet? Are YOU connecting from the Internet or from LAN? Can you describe or even draw a diagram of your network? Is this server a virtual machine?
-
Admin almost 11 years@EricCarvalho Updated. I pass through the NAT from an otherwise untrusted external address just fine.
-
Admin almost 11 yearsCan you obtain their client logs? The ones attached just show a normal exit - or is that actually the error case?
-
Admin almost 11 years@IlluminAce Those ARE the client logs when the issue comes up.
-
Admin almost 11 yearsWeird! I'd start ruling out pieces with things like
ssh -F /dev/null user@host
to rule out the client's /etc/ssh/ssh_config and .ssh/config... and alsossh -t user@host bash --noprofile --norc
to rule out something happening in /etc/profile,~/.bash_profile,~/.bashrc, etc. If the latter works, I'd run "bash" within the profile-less bash to get a normal bash and see if that exits unexpectedly. -
Admin almost 11 yearsAs bizarre as it sounds, this kind of looks like someone decided
ircd
shouldn't be allowed to log in but couldn't figure out the right way to prevent it, and so they set up a cron job to kill all of that user's processes every 2 seconds instead. However, when I try this, I can only get my bash to print Killed or Hangup instead of exit. Maybe there's something odd in the packaging of whatever IRC daemon you're running? -
Admin almost 11 years@Paul There is no such cronjob. I can log into that account remotely without the issue so it must lie in the other person's client.
-
Admin almost 11 years@Paul That command also does not give any data and stops immediately.
-
-
nanofarad almost 11 yearsOn the server? Or the client?
-
nanofarad almost 11 yearsIf you look at the logs I've linked, you can see that the "dropping" happens in software where the client reports a normal soft disconnection. This has nothing to do with a hard socket failure as far as I can tell.
-
Steven K almost 11 years... but, those logs include the client issuing the "exit" command, at which point the correct behavior is for the connection to drop...?
-
nanofarad almost 11 yearsExactly. The exit command is never issued by either endpoint's user or the server's configuration, so I'm trying to diagnose why the client is doing this.