group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1874257] Re: SSH fails with connection timed out - in VPN and hangs here "expecting SSH2_MSG_KEX_ECDH_REPLY" + Ubuntu 16.04.6 LTS

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Christian Ehrhardt  <1874257@xxxxxxxxxxxxxxxxxx>
Date: Mon, 11 May 2020 14:22:11 -0000
Reply-to: Bug 1874257 <1874257@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Yeah Dan, thanks for chiming in.
In particular that would be at least (but not lmited to) the changes:

8.04
Rework DTLS MTU detection. (#10)
7.08
Support automatic DTLS MTU detection with OpenSSL.
7.07
Automatic DTLS MTU detection.

Ubuntu has these newer versions.
Bionic 18.04 is on 7.08 and the most recent LTS Focal is at 8.05.
The current development release is at the latest 8.09 of openconnect.

These are new features added in 7.07 and 7.08 - IMHO they do not qualify
for a SRU release into Xenial [1] - especially since you can "get away"
with a config change that mitigates the issue.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates

** Also affects: openssh (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: openconnect (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** No longer affects: linux (Ubuntu Xenial)

** No longer affects: openssh (Ubuntu Xenial)

** Changed in: openssh (Ubuntu)
       Status: Confirmed => Invalid

** Changed in: openconnect (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: openconnect (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: openconnect (Ubuntu Xenial)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1874257

Title:
  SSH fails with connection timed out - in VPN and hangs here "expecting
  SSH2_MSG_KEX_ECDH_REPLY" + Ubuntu 16.04.6 LTS

Status in linux package in Ubuntu:
  Invalid
Status in openconnect package in Ubuntu:
  Fix Released
Status in openssh package in Ubuntu:
  Invalid
Status in openconnect source package in Xenial:
  Confirmed

Bug description:
  Hello Team,

  SSH timeout issue, once connect to VPN.

  Environment

  ======
  Dell XPS 9570 
  Ubuntu 16.04.6 Xenial Xerus)
  kernel - 4.15.0-55-generic

  $dpkg -l | grep -i openssh
  ii  openssh-client     1:7.2p2-4ubuntu2.8  --> 
  ii  openssh-server     1:7.2p2-4ubuntu2.8          
  ii  openssh-sftp-server  1:7.2p2-4ubuntu2.8        

  
  VPN tunnel info 
  ====
  vpn0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
            inet addr:IP  P-t-P:xx  Mask:255.255.252.0
            inet6 addr: fe80::b8e2:bea4:2e62:fe08/64 Scope:Link
            UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1406  Metric:1
            RX packets:962 errors:0 dropped:0 overruns:0 frame:0
            TX packets:1029 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:500
            RX bytes:87839 (87.8 KB)  TX bytes:238740 (238.7 KB)

  Issue
  ====
  Unable to connect to any host via ssh or sftp after VPN connection 

  Tried 
  =====

  Reinstalled the openssh-client package and still no luck. May I know
  why the default cipher is not taking/hanging? Please let me know .
  There were no recent changes.

  
  Workaround
  ===
  Able to connect to ssh / sftp $ssh -c aes128-ctr   user@IP

  
  Below is the debug ssh client logs ===
  ======

  $ssh -vvv  user@ip
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug2: resolving "IP" port 22
  debug2: ssh_connect_direct: needpriv 0
  debug1: Connecting to IP [IP] port 22.
  debug1: Connection established.
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_rsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
  debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
  debug2: fd 3 setting O_NONBLOCK
  debug1: Authenticating to IP:22 as 'user'
  debug3: send packet: type 20
  debug1: SSH2_MSG_KEXINIT sent
  debug3: receive packet: type 20
  debug1: SSH2_MSG_KEXINIT received
  debug2: local client KEXINIT proposal
  debug2: KEX algorithms: curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
  debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
  debug2: ciphers ctos: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
  debug2: ciphers stoc: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
  debug2: MACs ctos: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
  debug2: MACs stoc: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
  debug2: compression ctos: none,zlib@xxxxxxxxxxx,zlib
  debug2: compression stoc: none,zlib@xxxxxxxxxxx,zlib
  debug2: languages ctos:
  debug2: languages stoc:
  debug2: first_kex_follows 0
  debug2: reserved 0
  debug2: peer server KEXINIT proposal
  debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
  debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
  debug2: ciphers ctos: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
  debug2: ciphers stoc: chacha20-poly1305@xxxxxxxxxxx,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx
  debug2: MACs ctos: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
  debug2: MACs stoc: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
  debug2: compression ctos: none,zlib@xxxxxxxxxxx
  debug2: compression stoc: none,zlib@xxxxxxxxxxx
  debug2: languages ctos:
  debug2: languages stoc:
  debug2: first_kex_follows 0
  debug2: reserved 0
  debug1: kex: algorithm: curve25519-sha256@xxxxxxxxxx
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
  debug1: kex: client->server cipher: chacha20-poly1305@xxxxxxxxxxx MAC: <implicit> compression: none
  debug3: send packet: type 30
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

  << Hangs here >>

  Please shed some views

  Thanks
  Jay

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1874257/+subscriptions