Re: something is randomly closing ssh-tunnels (was: ipfilter randomly dropping..)

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Mon, Jun 23, 2014 at 12:24:08PM +0200, Petar Bogdanovic wrote:
> During the past few weeks the ssh-tunnels to a remote machine started
> failing randomly.  In a previous mail to tech-net I prematurely blamed
> ipfilter because disabling it yielded some immediate success.
> 
> Unfortunately, subsequent testing showed that having npf enabled instead
> eventually lead to the same issues.
> 
> What I know:
> 
>       * the server suddenly FINs the connection
>       * the server ignores everything after that and sends about 20-30
>         RSTs for lots of late ACKs sent by the client
>       * ipmon is able to track the connection but misses the FIN
>       * yet ipfilter manages to update its state table and reduces the
>         TTL of the connection from 24h to 30s
>       * a server-tcpdump captures the FIN
>       * a client-tcpdump captures the same FIN
>       * according to wireshark, the FINs in both pcaps have sequence
>         numbers that indicate lost segments (which at least in one
>         case makes little sense since it was captured directly at the
>         source)
>       * ssh and sshd both never try to tear down the connection
>       * ssh reports that the remote end has closed the connection
>       * sshd bails on a failed write() with ENETUNREACH

So it could actually have closed the connection after that.
Did your tcpdump sequences also capture ICMP traffics ?
Did an ICMP network unreacheable packet show up ?

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--