[Info-vax] Eisner connection problems, was: Re: Facebook service outage

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Oct 5 15:51:33 EDT 2021 

On 2021-10-05, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
> On 2021-10-05 12:10:34 +0000, Simon Clubley said:
>
>> On 2021-10-04, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>>> 
>>> I haven't been able to get to Eisner for a while, but haven't bothered  
>>> to dig into the details.
>>> 
>>> $ dig +short eisner.decuserve.org
>>> 216.41.237.174
>>> $ dig +short decuserve.org
>>> 184.168.131.241
>>> $
>>> 
>> 
>> I'm using eisner.decus.org to connect to Eisner, which gives the same 
>> IP address as your first example.
>> 
>>> ssh: connect to host eisner.decuserve.org port 22: Connection refused
>>> 
>>> Local ssh here is OpenSSH_8.1p1, LibreSSL 2.7.3.
>>> 
>> 
>> Do you have any local manual host name table entries for that domain 
>> name which point to a different IP address ?
>
> While Eisner DNS has been scattershot for a while and some of the older 
> entries now go to a corporate web login portal, if I'm getting the same 
> IP address translations as you are, then I'm not hitting a difference 
> caused by local DNS services or by local hosts entries.
>
>> What happens when you try ping ?
>
> ping pings.
>
> traceroute:
> ...
>  8  ip4.gtt.net (208.116.129.178)  21.771 ms  21.776 ms  21.781 ms
>  9  216.41.236.33 (216.41.236.33)  23.490 ms  23.559 ms  23.314 ms
> 10  216.41.236.122 (216.41.236.122)  23.417 ms  23.516 ms  23.391 ms
> 11  216.41.236.122 (216.41.236.122)  24.949 ms  24.593 ms  24.554 ms
> $ dig +short eisner.decus.org
> 216.41.237.174
> $
>

I have had problems with IP address ranges being blocked by VSI in
the past, but that blocked everything, including ping, so it doesn't
appear to be a simple IP address range blocking.

One other possibility might be that your ISP is rejecting outgoing
port 22 connections from their customers and they might be the one
who are issuing a TCP/IP level connection reject.

Does a direct SSH connection (ie: not via a VPN) to any other server
work from your machine ?

Do you have a valid DNS PTR record for the public IP address of your
machine ?

Has anyone else seen this while connecting to Eisner ?

>
> Both config and ssh_config referenced above are currently entirely 
> commented out.
>
> As I'm getting rejected by the ssh server or seemingly something just 
> ahead of the ssh server, that implies the ssh client and ssh server or 
> the firewall don't want to play.
>

If it was the SSH server, I would have expected the TCP/IP level
connection to be accepted and then immediately terminated by the
SSH server with a SSH specific error message.

> This all reeks of destination firewall settings or of related 
> port-forwarding settings, too. Which is why I haven't bothered to 
> pursue it.
>
> VSI is porting OpenSSH, which will help with ssh support more generally.
>

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list