Solved scp from CentOS 6 to FreeBSD 10.1-RELEASE

[perkypork]

I am having a bunch of trouble transferring files via scp(1) from a CentOS 6 server to a FreeBSD server. When I run the command, the entire session locks up.

I am able to SCP from the FreeBSD box to the CentOS 6 box. I am able to SCP from my Mac laptop to both servers and I am able to SCP from the CentOS 6 box to my Mac.

I get the feeling that it has something to do with login messages. I have renamed /etc/motd so it no longer shows and changed /etc/ssh/sshd_config to banner=no. Still locking up the session.

I am sure this is a simple fix, just cannot seem to find it in Google. Thanks for looking!

 

[perkypork]

Oh, I should add that I can scp from the CentOS 6 server to other FreeBSD 10.1 RELEASE servers. The only difference between this server and my other FreeBSD servers is this one is in a jail.

 

[perkypork]

Since I am only new I am unable to edit posts, so I have to keep posting as I find more information.

SCP shows as "stalled" on the CentOS 6 box. I wasn't seeing this before but its showing if I try to transfer a small file instead of a folder.

 

[gkontos]

So, you are trying to SCP from a CentOS (version ???) to a FreeBSD 10.1-RELEASE, JAIL. Correct?

1) Revert all the changes you made to /etc/ssh/sshd_config and /etc/motd back.
2) What happens when you ssh to that jail? (from the CentOS).
3) Post your hosts firewall rules.

 

[perkypork]

Yes, I am trying to scp from the CentOS 6 server to the FreeBSD jail. SSH works fine between both boxes (initiated from either server). The CentOS 6 box is happily scping to many other FreeBSD boxes.

sshd_config on the basejail and jail are configured to only listen on their own IPs.

 

[gkontos]

sshd_config on the basejail and jail are configured to only listen on their own IPs.

What you mean by the term basejail?

Are you running and firewall on the host system?

 

[perkypork]

Basejail = Jail Host. Sorry, should have said "Jail Host".

Are you running and firewall on the host system?
Yes. The only jail that has sshd enabled is the one I am trying to

 

[scottro]

By basejail, I'm guessing you're using either ezjail, qjail, or some other method of jails with nullfs, correct? When we do this, we usually leave the base jail's sshd_config alone and just set the other jails to listen on their own IPs.

You've said ssh between the two works without problem. What about scp with small text files? In other words, does it only stall with large files? Can other machines scp to this jail without a problem?

 

[perkypork]

Yes, I am using ezjail.

I only changed the hosts because I only need ssh listening on a single IP. I can change it if this is the problem?

I just tried scping a small text file 20KB and scp hung.

 

[kpa]

Post your network interface setup.

 

[perkypork]

 

[gkontos]

If the aliases are for the jails then their netmask should be /32. A tcpdump should be able to show where the problem is.

 

[kpa]

If the aliases are for the jails then their netmask should be /32.

No longer the case at least on FreeBSD 10.* and 9.3 I think, the aliases can use the same netmask as the "main" address if they are in the same subnet.

 

[gkontos]

No longer the case at least on FreeBSD 10.* and 9.3 I think, the aliases can use the same netmask as the "main" address if they are in the same subnet.

So, this part in the handbook is wrong?

 

[perkypork]

I am sorry I didn't say this last night - "Thank you gkontos!" for helping me out on this issue. Its been driving me nuts for days. Sadly I have yet to solve this issue.

If the aliases are for the jails then their netmask should be /32. A tcpdump should be able to show where the problem is.

I hadn't seen that in many tutorials on Jails, though now you point it out, I have found it in a few tutorials, though not the handbook.

 

[perkypork]

If the aliases are for the jails then their netmask should be /32.

When I changed the jail alias's netmask to 255.255.255.255 networking within the jails stopped working.

 

[kpa]

So, this part in the handbook is wrong?

Yes, it is out of date.

 

[perkypork]

After extensive testing of this issue it seems that it may not be an issue with the servers themselves. It seems it might be an issue with scping files between servers where pfSense is in between i.e one server behind pfSense, one directly connected to the internet. The reason I think this is I am able to scp happily as long as that traffic does not pass through the pfSense firewall.

 

[junovitch@]

So, MTU issue with a firewall perhaps? That wouldn't cause issues with a SSH session but could make sense moving a file with SCP. What's the biggest size you can get away with? Start with checking if you can pass a packet assuming the default 1500 byte packet with ping -D -c 1 -s 1472 172.20.1.1 (28 bytes of overhead is assumed). Work your way down until you see what works.

 

[perkypork]

Thanks for the MTU pointer.

I tested the max MTU I can get away with, without fragmentation and its 1422. This value (1422) is already set on the pfSense WAN interface. I changed the MTU on the CentOS 6 box to 1422 and SCP started working.

Thank you to everyone who helped on this one, its much appreciated!