User profile for user: chrisfromSitten
chrisfromSitten Author
User level: Level 1
10 points

ssh with Big Sur stuck when connecting to internet hostname with NAT loopback

Spent my morning troubleshooting an issue with ssh client of macos 11.7.1.


it would not connect to my LAN rpi using the internet hostname (via NAT loopback from modem router). Actually, sometimes it worked (1/15), most of time not. It would of course connect right away if using a local ip address. It was working fine with other ssh clients (Termius for example), or with the macos ssh client of Monterey on another mac.


would get stuck here :

christophe$ ssh -vvv -i jeedom-xxx.ddns.net pi@jeedom-xxx.ddns.net

OpenSSH_8.1p1, LibreSSL 2.7.3

debug1: Reading configuration data /Users/christophe/.ssh/config

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 47: Applying options for *

debug1: Connecting to jeedom-xxx.ddns.net port 22.



After much trying to figure the issue, I narrowed it down to changing the default value of the ConnectTimeout in ssh_config. By default it's 0. If you set it to 10 for example, it works like a charm.


either you change it in /etc/ssh, or you pass the option via command line.

ssh -vvv -i jeedom-xxx.ddns.net -o "ConnectTimeout 10" pi@jeedom-xxx.ddns.net


just felt it was a good thing to share with the community, and up for comments if I missed something obvious that could explain this (weird) behavior.




MacBook Pro 15″

Posted on Dec 10, 2022 4:07 AM

Reply
2 replies
User profile for user: http_teapot
http_teapot
User level: Level 1
33 points

Dec 10, 2022 4:20 AM in response to chrisfromSitten

Nice share!


This might not be a Big Sur specific behaviour but rather of RFC 5128:

Even if the NAT device supports hairpinning, this translation and forwarding step is clearly unnecessary in this situation, and adds latency to the dialog between A and B, besides burdening the NAT.

Because you've set the connection timeout to 0 ms don't you think it's understandable that sometimes the ssh connection is flaky and doesn't connect under 0,5 milliseconds (roughly describing your 1/15 success rate)?


Do you have some reason why you're using NAT hairpinning rather than direct internal ip or Multicast DNS?

Reply
User profile for user: chrisfromSitten
chrisfromSitten Author
User level: Level 1
10 points

Dec 10, 2022 4:49 AM in response to http_teapot

Actually it had worked for a long time in the past (ie. at least last 5 years), and started not to work recently (I'd say at some point this year, maybe linked to a macos update, and my laptop is too old for newest OS).


with ssh connection timeout set to 0 (the macos default), my assumption was that the connection would actually never timeout, but you may be right, maybe it was expecting immediate connection.. (?) maybe my macbook is getting too old :-) .


to your question about using the hostname and not the ip, it's purely convenience : I use profiles in terminal (iterm2), and I want to be able to use the same profile regardless of where I work (in the LAN or outside in other locations).

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

ssh with Big Sur stuck when connecting to internet hostname with NAT loopback

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up