OpenSSH connections might fail if using network load-balancing utilities

Troubleshooting

Problem

If a network load-balancing utility, such as VIPA or F5, is in use; incoming z/OS OpenSSH client connections can fail. (Clients are utilities such as ssh, scp, and sftp)

Symptom

OpenSSH client connections fail.

Cause

When an IP load-balancer is in use, the destination host and client IP addresses might not be able of being reverse mapped.

Diagnosing The Problem

To verify, collect a server-side (sshd) trace of the incoming connection, which fails and determine whether the failure is related to reverse mapping DNS addresses, similar to:

debug3: Trying to reverse map address xxx.xxx.xxx.xxx. fatal: FOTS1450 Timeout before authentication for xxx.xxx.xxx.xxx

Resolving The Problem

Resolve this problem by updating the sshd_config (/etc/ssh/sshd_config) file and update the UseDNS option to "no":

UseDNS no

(You might need to uncomment or define it. The default is "yes".) Then, restart sshd to pick up the changed configuration.

This setting prevents sshd from trying to reverse map the IP address of the incoming connection.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS"},"Component":"5655M2301 - z\/OS OpenSSH","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB56","label":"Z HW"}}]

Product Synonym

ssh; sshd; sftp; scp

Was this topic helpful?

Document Information

Modified date:
03 September 2021

UID

ibm10732171

Tips