PDA

View Full Version : SSH Response



avilT
2013-07-12, 05:56
I have two R75.40 clusters, GAIA, 4407.

Cluster-1 is simple firewall without VPN.
Cluster-2 is firewall VPN enabled.

When I ssh to Cluster-1 it's very quick(both user and password prompt)
When I ssh to Cluster-2 (with VPN) the username prompt is quick but the password prompt take a long time (in seconds)

What is the reason behind this?

avilT
2013-07-12, 23:08
It's a DNS issue with reverse look up.
Thank You.

networkingkool
2013-07-13, 02:21
You mean the host in Host and DNS config section of GAIA Web UI, don't you?
I also run into this problem, but with another circumstance.
Please kindly speak out clearly if you find out the solution.

cciesec2006
2013-07-13, 06:44
You mean the host in Host and DNS config section of GAIA Web UI, don't you?
I also run into this problem, but with another circumstance.
Please kindly speak out clearly if you find out the solution.

go into the firewall /etc/resolv.conf file and remove all the nameserver entries. After that your ssh should work very fast.

networkingkool
2013-07-14, 12:37
go into the firewall /etc/resolv.conf file and remove all the nameserver entries. After that your ssh should work very fast.

Thanks, it works like a charm!
But I do not understand what nameserver entries in resolv.conf really do? First I think They generated because I config those DNS server in GAIA web UI. But after I remove those entries, the configuration in WEB UI does not disappear, and the Security Management Server still resolve a name when I create a host node with public name. My security GW and Security Management Server are on the same hardware.

cciesec2006
2013-07-14, 16:38
Thanks, it works like a charm!
But I do not understand what nameserver entries in resolv.conf really do? First I think They generated because I config those DNS server in GAIA web UI. But after I remove those entries, the configuration in WEB UI does not disappear, and the Security Management Server still resolve a name when I create a host node with public name. My security GW and Security Management Server are on the same hardware.

If you don't want to remove DNS servers, the safest approach to do this is:

1- go into expert mode,
2- edit the file /etc/ssh/sshd_config
3- add "UseDNS no"
4- restart sshd service (service sshd restart)
5- now your login should be very fast because sshd does not rely on DNS anymore.

melipla
2013-07-15, 09:29
Like avilT said, it's not DNS lookup that is the issue, it's reverse DNS lookup. So yourhost.domain.com might resolve to 10.1.1.1, but 10.1.1.1 does not resolve to yourhost.domain.com (or anything). So whatever IP you're coming from does not have a reverse DNS entry publicly available which is the cause of the delay.

You can also fix this issue by editing the /etc/hosts file on the gateway and adding an entry for yourself, that is assuming you're coming from the same IP address every time.

alienbaby
2013-07-15, 15:47
Be advised, in GAIA.. editing any OS level files directly will be a temporary action. When the GAIA box is rebooted, GAIA rebuilds these files from the active DB; just like IPSO.

Add your /etc/host modifications using clish or the WebUI instead. I recommend you add an entry for the boxes you most SSH from to /etc/hosts; using clish/WebUI of course.

Also, gateways doing URL filter and other CheckPoint Threat cloud related services require DNS servers to be configured on the gateway..