Networking

ssh 無法建立連接

  • February 3, 2020

我有幾台機器連接在同一個網路上:

  • 答:134.157.xxx.xxx
  • B: 134.157.yyy.yyy
  • C: 134.157.zzz.zzz

我的問題是A無法再連接到C。但是:

  • A 可以 ssh 到 A 和 B
  • B 可以 ssh 到 A 和 B 和 C
  • C 可以 ssh 到 A 和 B 和 C

以下是 A 的一些命令輸出:

~$ telnet 134.157.zzz.zzz 22
Trying 134.157.zzz.zzz...
telnet: Unable to connect to remote host: Connection timed out
~$ ping 134.157.zzz.zzz
PING 134.157.zzz.zzz (134.157.zzz.zzz) 56(84) bytes of data.
64 bytes from 134.157.zzz.zzz: icmp_seq=1 ttl=64 time=0.283 ms
64 bytes from 134.157.zzz.zzz: icmp_seq=2 ttl=64 time=0.315 ms
64 bytes from 134.157.zzz.zzz: icmp_seq=3 ttl=64 time=0.314 ms
^C
--- 134.157.zzz.zzz ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2082ms
rtt min/avg/max/mdev = 0.283/0.304/0.315/0.014 ms
~$ ssh -vvv 134.157.zzz.zzz
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "134.157.zzz.zzz" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 134.157.zzz.zzz [134.157.zzz.zzz] port 22.
debug1: connect to address 134.157.zzz.zzz port 22: Connection timed out
ssh: connect to host 134.157.zzz.zzz port 22: Connection timed out

它以前已經工作過,沒有更改配置文件,重新啟動 A 不會改變任何內容。

我應該如何調查?

$$ edit $$

# on C
~$ tcpdump src 134.157.xxx.xxx -vv -i eno3
~$ tcpdump src 134.157.yyy.yyy -vv -i eno3
# on A
~$ ssh 134.157.zzz.zzz
# on B
~$ ssh 134.157.zzz.zzz

只有在 B 上啟動的命令才會在 C 上給出輸出。

$$ /edit $$

$$ second edit $$

# on A
~$ tcpdump -vv -i any dst 134.157.zzz.zzz
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
12:32:18.609219 IP (tos 0x0, ttl 64, id 24010, offset 0, flags [DF], proto TCP (6), length 60)
   AAA.33648 > 134.157.zzz.zzz.ssh: Flags [S], cksum 0xf9fc (correct), seq 3301194634, win 64240, options [mss 1460,sackOK,TS val 2209953097 ecr 0,nop,wscale 7], length 0
12:32:19.628185 IP (tos 0x0, ttl 64, id 24011, offset 0, flags [DF], proto TCP (6), length 60)
   AAA.33648 > 134.157.zzz.zzz.ssh: Flags [S], cksum 0xf601 (correct), seq 3301194634, win 64240, options [mss 1460,sackOK,TS val 2209954116 ecr 0,nop,wscale 7], length 0
12:32:21.676188 IP (tos 0x0, ttl 64, id 24012, offset 0, flags [DF], proto TCP (6), length 60)
   AAA.33648 > 134.157.zzz.zzz.ssh: Flags [S], cksum 0xee01 (correct), seq 3301194634, win 64240, options [mss 1460,sackOK,TS val 2209956164 ecr 0,nop,wscale 7], length 0
# and so on until timeout

$$ /second edit $$

$$ third edit $$

# on A
~$ arp -an # contains 134.157.zzz.zzz with correct hardware address
~$ arp -d 134.157.yyy.yyy # success
~$ arp -d 134.157.zzz.zzz # error (see below)
SIOCDARP(dontpub): Network is unreachable
# on C
~$ arp -an # does not contain 134.157.xxx.xxx
~$ arp -s 134.157.xxx.xxx aa:aa:aa:aa:aa:aa # adds it, but solves nothing
~$ 

$$ /third edit $$

$$ fourth edit $$

# After a while running
# tcpdump -vv -i any dst 134.157.zzz.zzz
# on A, I finally got
13:19:09.716711 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 134.157.zzz.zzz tell 134.157.mmm.mmm, length 46
13:23:55.162747 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 134.157.zzz.zzz tell 134.157.nnn.nnn, length 46
13:29:59.119983 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 134.157.zzz.zzz tell 134.157.nnn.nnn, length 46
# which is strange...

$$ /fourth edit $$

我終於找到了問題:A 上的網路遮罩錯誤(255.255.255.128 而不是 255.255.255.0)。我們可能在更新網路時錯過了這一點。

由於 ICMP 在 A 和 C 之間工作,因此此問題可能發生在堆棧的較高層上。由於 B 可以到達 C,因此不太可能在應用層。

我的猜測是防火牆限制。

為了驗證,我將使用 tcpdump 或類似工具來查看接收和發送的數據包 - 從 C 上的 tcpdump 開始,查看它是否從 A 接收數據包,然後向後工作。

引用自:https://serverfault.com/questions/1001095