Tunnel freezing

Pavel Troller patrol at sinus.cz
Thu Oct 26 14:34:42 EST 2006


Hi!
  I hope this list a good place for my question - I've googled for it first,
but I didn't find any answers.
  I'm trying to use the new ssh IP tunnel feature to get a secure access to
my machine at work, which is behind a firewall/NAT but it has a ssh port
in outbound direction open.
  The problem is that the tunnel freezes occasionally, mostly in one direction
only. The freeze occurs mostly when there is traffic over the tunnel, like
VoIP call or remote X session. I know that this is unidirectional freeze,
because for example during a VoIP call one party stops hearing the other, but
in the opposite direction the audio is still transferred. I think this makes
evidence that the underlying TCP connection is alive, because otherwise it
would stop in both directions (at least due to absence of ACKs) - I've also
monitored its packet queues and they are almost empty.
  My configuration is almost symmetrical at both ends:
  - Linux-2.6.18 kernel
  - OpenSSH-4.4p1 (but 4.3p2 did the same)
  - OpenSSL-0.9.8a
  I'm starting the tunnel by this script (from a host behind a firewall)
# Create a ssh tunnel
ssh -f -w0:1 <host> true
# Wait for tun0 to be created
sleep 3
# Configure tunnel iface
ifconfig tun0 xxx.xxx.xxx.xxx pointopoint xxx.xxx.xxx.xxy 
route add -net aaa.aaa.aaa.aaa netmask 255.255.255.0 dev tun0
iptables -A INPUT -i tun0 -s \! aaa.aaa.aaa.aaa/24 -j REJECT

The last two lines establish routing over the tunnel just for my home network
and block the access for others.

The tunnel is terminated in a host which uses standard technique of forced
command, making ifconfig of the tunnel iface.

The tunnel works normally for hours or sometimes days, then freezes. Sometimes
it gets some "happy days" and remains OK for a really long period of time
(abouth a months or even longer), but sometimes it freezes in 10 minutes.
I didn't find any reason for this.

Any help would be greatly appreciated!
Please Cc: me, I'm not regularly subscribed to the mailing list. Thanks.
                    With regards,
                            Pavel Troller



More information about the openssh-unix-dev mailing list