OpenSSH connections might fail if using network load-balancing utilities

Troubleshooting

Problem

If a network load-balancing utility, such as VIPA or F5, is in use; incoming z/OS OpenSSH client connections can fail. (Clients are utilities such as ssh, scp, and sftp)

Symptom

OpenSSH client connections fail.

Cause

When an IP load-balancer is in use, the destination host and client IP addresses might not be able of being reverse mapped.

Diagnosing The Problem

To verify, collect a server-side (sshd) trace of the incoming connection, which fails and determine whether the failure is related to reverse mapping DNS addresses, similar to:

debug3: Trying to reverse map address xxx.xxx.xxx.xxx.
fatal: FOTS1450 Timeout before authentication for xxx.xxx.xxx.xxx

Resolving The Problem

Resolve this problem by updating the sshd_config (/etc/ssh/sshd_config) file and update the UseDNS option to "no":

UseDNS no

(You might need to uncomment or define it. The default is "no", prior to z/OS 2.4 the default was "yes".) Then, restart sshd to pick up the changed configuration.

This setting prevents sshd from trying to reverse map the IP address of the incoming connection.

[{"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG90","label":"z\/OS"},"Component":"5655M2301 - z\/OS OpenSSH","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB56","label":"Z HW"}}]

Product Synonym

ssh; sshd; sftp; scp

Was this topic helpful?

Document Information

Modified date:
03 February 2026

UID

ibm10732171

Tips