Intermediate-level SSH problems

[cg]

Hi all.

Here's the setup:  I work for a company with multiple sites.  There are a couple of sites where we want to closely monitor network traffic, so I built a TC box with TShark and OpenSSH installed, which we then cloned (after making sure everything worked).  The boxes have two ethernet jacks - the one on the motherboard, and a second one on a card - one jack is for SSH, the other is for TShark to monitor.  In the IT shop, when I fully plug in the computer, it works fine.

Here's the problem:  When I plug the computer in at a remote location, I can connect to it via SSH for a few minutes, but I inevitably get an error message from PuTTY that says "Software caused connection to abort".  If I try to reconnect, I get a second error message that says "Connection Refused".

Here are my questions:  1) What the heck's going on here?  2) Will there be logs that I can look at to figure out if something's misconfigured?  If so, where are they? 3) How come it works in the IT shop, but not on location?  (Note:  I can't SSH into the computer even when I'm at the same location, unless it's at the shop.  I have not tried to SSH into a computer at the shop from elsewhere.)

Thanks in advance!

[curaga]

No logs are saved or collected by default. To enable logging use the syslog bootcode, to save the logs across reboots add /var/log to your backup.

[tinypoodle]

After you lose your ssh connection, can you ping and traceroute the IP of given box or not?

[cg]

After you lose your ssh connection, can you ping and traceroute the IP of given box or not?

Yes, the un-SSH-able box responds to ping and is traceroutable.

[tinypoodle]

Poking in the mist - try to replace openssh by dropbear and see what then happens?

[Rich]

Hi cg
If you disable TShark in the un-SSH-able box, do your ssh problems go away?

[cg]

Hi cg
If you disable TShark in the un-SSH-able box, do your ssh problems go away?

Hi Rich,

I haven't tried disabling TShark, since having TShark running is exponentially more important than having SSH behave.  We can go collect the boxes and analyze the captures here at the shop if we have to; SSH just makes it more convenient.

Is there some conflict with TShark and SSH that can cause this sort of thing?  I'm going to feel very silly if there is and I didn't know about it.

[Rich]

Hi cg

Is there some conflict with TShark and SSH that can cause this sort of thing?

The best way to find out, is to disable TShark in a problematic box located at its normal site. If the problem
goes away, then it may be an interaction between the two apps, possibly just a set-up problem. If the problem
remains, you know to look elsewhere, possibly excessive noise pickup on your network cable(s). The key to
finding a problem is to be able to make the symptoms come and go at will. If you can't reproduce the problem
in the lab, that means trying things in the field. You could also try to mimic the field environment as closely as
possible in the lab to see if you can reproduce the problem. Try hammering a box with real data to the Tshark
port in the lab. I'm pretty sure there utilities you can use to replay traces collected by TShark.

[cg]

The key to finding a problem is to be able to make the symptoms come and go at will. If you can't reproduce the problem in the lab, that means trying things in the field. You could also try to mimic the field environment as closely as possible in the lab to see if you can reproduce the problem. Try hammering a box with real data to the Tshark port in the lab. I'm pretty sure there utilities you can use to replay traces collected by TShark.

Very good points; I'll look into them.  Thanks!

[tinypoodle]

The best way to find out, is to disable TShark in a problematic box located at its normal site. If the problem
goes away, then it may be an interaction between the two apps, possibly just a set-up problem. If the problem
remains, you know to look elsewhere, possibly excessive noise pickup on your network cable(s). The key to
finding a problem is to be able to make the symptoms come and go at will. If you can't reproduce the problem
in the lab, that means trying things in the field.

My suggestion to try replacing openssh by dropbear was in a very similar spirit

[cg]

The best way to find out, is to disable TShark in a problematic box located at its normal site. If the problem
goes away, then it may be an interaction between the two apps, possibly just a set-up problem. If the problem
remains, you know to look elsewhere, possibly excessive noise pickup on your network cable(s). The key to
finding a problem is to be able to make the symptoms come and go at will. If you can't reproduce the problem
in the lab, that means trying things in the field.

My suggestion to try replacing openssh by dropbear was in a very similar spirit

Duly noted!