X11 forwarding over ssh applications very slow to start

7,087

Solution 1

Problem is that ssh does things on the loopback with ipv6 and I had ip6tables setup to drop all traffic. Just did the following and it works now:

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A FORWARD -i lo -o lo -j ACCEPT

Thanks to ezakimak on #gentoo for pointing out the ipv6 angle.

Solution 2

What is the latency/RTT to the server (a simple ping would suffice)? What application you are trying to start?

X11 is a synchronous protocol, with serialized drawing call. If the latency is high or the application execute many drawing call, its load time will increase.

If you can, you should install freenx on the server and use a nx client (eg: remmina or nomachine.com client): they work by de-serializing X11 drawing calls, giving much improved performances.

Share:
7,087

Related videos on Youtube

CrazyCasta
Author by

CrazyCasta

Updated on September 18, 2022

Comments

  • CrazyCasta
    CrazyCasta over 1 year

    I have a server that is extremely slow (takes 3-5 minutes) at starting X11 applications over a forwarded X11 link. I have tried connecting to it with 2-3 different machines with different operating systems. After the applications start everything seems to be fine. I am connecting using trusted X11 forwarding (ssh -Y) and using cert based authentication (not that that should matter).

    The operating system is Gentoo Linux on amd64. None of the applications give any messages related to the X environment (one shows nothing, another just a standard welcome message and the last an error message about a resource being in use (which the window that finally popped up told me about as well).

    As per Bertera's suggestion I ran with the -v option. It doesn't print anything until the window shows up when it prints:

    debug1: client_input_channel_open: ctype x11 rchan 3 win 87380 max 16384
    debug1: client_request_x11: request from 127.0.0.1 43716
    debug1: channel 1: new [x11]
    debug1: confirm x11
    

    Also, I have tested ssh port forwarding and it is extremely slow as well (and I'm guessing this could be the problem with the X11 forwarding).

    • Dom
      Dom about 11 years
      check if your IP address is known in all the servers. Check the logs, you will maybe see an IP instead of a FQDN.
    • Bertera
      Bertera about 11 years
      maybe a DNS issue ? try to use -v option to see where ssh stuck.
    • CrazyCasta
      CrazyCasta about 11 years
      I'm unclear how DNS could be related to this. In any case, if I connect to the IP instead of the FQDN it still takes a really long time. As for using the -v option, nothing is printed out at the point that it gets stuck.
    • CrazyCasta
      CrazyCasta about 11 years
      P.S. Just to be clear, it's not the ssh connection that is taking forever, it's the starting of an application after having connected.
    • MastaJeet
      MastaJeet about 11 years
      To troubleshoot you could run tcpdump on the xserver, filtering for traffic from the client. If there is no traffic then something is happening on the client. If there is a large amount of traffic it may be the X protocol being chatty. I believe for modern apps the client renders the decorations and will have to be initially transmitted as bitmaps to the server, which caches them thereafter.
  • Michael Hampton
    Michael Hampton about 11 years
    Of course. localhost is an IPv6 address by default, and port forwards connect/bind to/from localhost on the remote system.
  • CrazyCasta
    CrazyCasta about 11 years
    No, it all depends on how the listener is listening. On my machine localhost is 127.0.0.1, but because ssh is listening on an IPv6 socket it uses the IPv6 version of that.
  • CrazyCasta
    CrazyCasta about 9 years
    As you see, I've already figured out the problem. Furthermore I have no interest in installing extra junk like nomachine.
  • Felix Frank
    Felix Frank over 8 years
    @CrazyCasta ...and that's why you downvoted a seemingly legitimate answer?
  • CrazyCasta
    CrazyCasta over 8 years
    @FelixFrank Yes, when there's already an answer completely that completely fixes the problem I don't see the point in adding an answer 1) asks questions 2) provides an incorrect answer (has nothing to do with the X11 serialization) and 3) suggests that I try some other software for a problem that I've already fixed. It doesn't rise to the level of flagging the answer, but I don't see it as constructive.
  • Felix Frank
    Felix Frank over 8 years
    @CrazyCasta I disagree completely. Yes, your particular issue was solved, but for future readers of your questions (e.g., your's truly), shodanshok's answer is actually more helpful because it offers general approaches that are valuable even in the general case when the reader does not happen to suffer from your exact issue.
  • Walter A
    Walter A about 4 years
    My ip6tables -L INPUT showed policy DROP. Even a simple ssh localhost exit was very slow. After ip6tables -P INPUT ACCEPT it was fixed.
  • CrazyCasta
    CrazyCasta about 4 years
    @WalterA You really really don't want to do ip6tables -P INPUT ACCEPT. You should do like I did, or open other ports on a one-by-one basis so as not to compromise your firewall.
  • Walter A
    Walter A about 4 years
    @CrazyCasta I never heard of ip6tables before I found your post. When I compared 2 sites where one was working and the other not, I found that the other had INPUT ACCEPT. Other options I found was changing sshd_config, that looked like a worse solution. Just now I understand that -i lo limits the ACCEPT rule to the loopback interface. Tx!