sshd stops accepting connections
Zoltan Frombach
zoltan at frombach.com
Sat Nov 13 00:29:31 PST 2004
> Today I suddenly couldn't log in via ssh to a server I upgraded to
> FreeBSD 5.3-RELEASE 4 days ago. When I tried connect to port 22 using
> telnet(1) the following just happend:
>
> [simon at zaphod:~] telnet 192.168.3.2 22
> Trying 192.168.3.2...
> Connected to jet.nitro.dk.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> The servar had been running FreeBSD 5.2.1 for a while without
> problems. ...
I had the exact same problem yesterday!! I installad FreeBSD 5.3-RELEASE
about a week ago. And on the night of Nov.11th, I've noticed that sshd2
stopped accepting connections. It dropped (closed) any connection
immediately. Everything else seemed to work on the server just fine. I also
use standard Unix authentication, nothing fancy at all. And I installed SSH2
from ports. I had to call the colo center and asked them to reset my server.
After it rebooted, SSH2 started to work again. Examining the content of the
log files, I've noticed the following lines:
Nov 11 13:45:10 www kernel: ad0: WARNING - WRITE_DMA interrupt was seen but
timeout fired LBA=2928095
Nov 11 13:49:52 www kernel: maxproc limit exceeded by uid 0, please see
tuning(7) and login.conf(5).
Nov 11 13:49:54 www kernel: Limiting closed port RST response from 212 to
200 packets/sec
Nov 11 13:49:55 www kernel: Limiting closed port RST response from 226 to
200 packets/sec
Nov 11 13:49:58 www kernel: Limiting closed port RST response from 223 to
200 packets/sec
Nov 11 13:50:00 www kernel: Limiting closed port RST response from 225 to
200 packets/sec
Nov 11 13:50:01 www kernel: Limiting closed port RST response from 224 to
200 packets/sec
Nov 11 13:50:03 www kernel: Limiting closed port RST response from 226 to
200 packets/sec
Nov 11 13:50:04 www kernel: Limiting closed port RST response from 223 to
200 packets/sec
Nov 11 13:50:07 www kernel: Limiting closed port RST response from 226 to
200 packets/sec
Nov 11 13:50:08 www kernel: Limiting closed port RST response from 223 to
200 packets/sec
Nov 11 13:50:10 www kernel: Limiting closed port RST response from 225 to
200 packets/sec
Nov 11 13:50:11 www kernel: Limiting closed port RST response from 224 to
200 packets/sec
Nov 11 13:50:13 www kernel: Limiting closed port RST response from 226 to
200 packets/sec
Nov 11 13:50:14 www kernel: Limiting closed port RST response from 233 to
200 packets/sec
Nov 11 13:50:17 www kernel: Limiting closed port RST response from 216 to
200 packets/sec
Nov 11 13:50:18 www kernel: Limiting closed port RST response from 223 to
200 packets/sec
Nov 11 13:50:20 www kernel: Limiting closed port RST response from 215 to
200 packets/sec
Nov 11 13:50:21 www kernel: Limiting closed port RST response from 233 to
200 packets/sec
Nov 11 13:50:23 www kernel: Limiting closed port RST response from 225 to
200 packets/sec
Nov 11 13:50:25 www kernel: Limiting closed port RST response from 211 to
200 packets/sec
Nov 11 13:50:27 www kernel: Limiting closed port RST response from 225 to
200 packets/sec
Nov 11 13:50:29 www kernel: Limiting closed port RST response from 225 to
200 packets/sec
Nov 11 13:50:31 www kernel: Limiting closed port RST response from 211 to
200 packets/sec
Nov 11 13:50:33 www kernel: Limiting closed port RST response from 224 to
200 packets/sec
Nov 11 13:50:35 www kernel: Limiting closed port RST response from 205 to
200 packets/sec
Nov 11 13:50:37 www kernel: Limiting closed port RST response from 224 to
200 packets/sec
Nov 11 13:50:51 www last message repeated 4 times
Nov 11 13:50:54 www kernel: Limiting closed port RST response from 222 to
200 packets/sec
Nov 11 13:50:58 www kernel: Limiting closed port RST response from 216 to
200 packets/sec
Nov 11 13:51:00 www kernel: Limiting closed port RST response from 208 to
200 packets/sec
Because of the maxproc message, I then compiled a new kernel with 1024
users. (I used the GENERIC kernel up to this point.) Since I was now
building a new kernel, I commented out some drivers that I don't use, like
some SCSI devices and some ISA network interfaces, etc. The new kernel seems
to work great.
However, today (on Friday) I had another weird encounter. This afternoon,
for several minutes, I was unable to connect to the server at all: all tcp
connection appeared to hang indefinitely! But ping worked and it was fast as
always. I kept trying to get in via SSH2, and finally I was able to log in
(it took like 2 minutes to get the login prompt, while ping time was
normal). After switching to su, I issued the top command to see what is
going on. I never get any output. The system was apparently so busy with
something that top could not work. I had to force-close that connection. For
several minutes I tried to log in again via SSH2, I just wanted to issue a
reboot command at this time. When I was about to give up, suddenly, after
like 5 minutes the login prompt appeared and I was able to log in. Since
then EVERYTHING is working fine, I didn't even have to reboot, the server is
still running fine! I saw only these lines in the log file:
Nov 12 16:14:27 www kernel: ad0: WARNING - WRITE_DMA interrupt was seen but
timeout fired LBA=2416335
Nov 12 16:35:51 www kernel: Limiting icmp unreach response from 276 to 200
packets/sec
It seems to me that shortly after the WRITE_DMA warning (like 4 to 20
minutes later) all resources (I guess, processes) seemed to be consumed. It
has caused somehow sshd2 to stop accepting new connections at the first
time. The second time I greatly increased the maxproc number in the kernel
by setting maxusers to 1024. So at that time nothing really failed, but like
20 minutes after the WRITE_DMA warning the system became very unresponsive
for at least 5 minutes. And then it just cured itself. I am very what is
causeing the WRITE_DMA warning... I'm willing to install any patches to
track this down. Can anyone provide me some patches?
Zoltan
PS: Some info about my system:
uname -a
FreeBSD www.xxxxxxxx.com 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 12
01:07:41 PST 2004 xxx at www.xxxxxxxx.com:/usr/obj/usr/src/sys/XXXXXXXX
i386
dmesg
Waiting (max 60 seconds) for system process `hpt_wt' to stop...done
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.3-RELEASE #0: Fri Nov 12 01:07:41 PST 2004
tss at www.frombach.com:/usr/obj/usr/src/sys/FROMBACH
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) 4 CPU 2.80GHz (2806.38-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf29 Stepping = 9
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Hyperthreading: 2 logical CPUs
real memory = 1056899072 (1007 MB)
avail memory = 1023688704 (976 MB)
ACPI APIC Table: <AWARD AWRDACPI>
ioapic0: Changing APIC ID to 2
ioapic0 <Version 1.4> irqs 0-23 on motherboard
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <AWARD AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0
cpu0: <ACPI CPU (3 Cx states)> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
acpi_button0: <Power Button> on acpi0
acpi_button1: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port
0x10e0-0x10ff,0x1000-0x10df,0x480-0x48f,0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <SiS 661 host to AGP bridge> mem 0xd0000000-0xd7ffffff at device 0.0
on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <display, VGA> at device 0.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 2.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <SiS 964 UDMA133 controller> port
0x4000-0x400f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 2.5 on pci0
ata0: channel #0 on atapci0
ata1: channel #1 on atapci0
ohci0: <SiS 5571 USB controller> mem 0xe1104000-0xe1104fff irq 20 at device
3.0 on pci0
ohci0: [GIANT-LOCKED]
usb0: OHCI version 1.0, legacy support
usb0: <SiS 5571 USB controller> on ohci0
usb0: USB revision 1.0
uhub0: SiS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1: <SiS 5571 USB controller> mem 0xe1100000-0xe1100fff irq 21 at device
3.1 on pci0
ohci1: [GIANT-LOCKED]
usb1: OHCI version 1.0, legacy support
usb1: <SiS 5571 USB controller> on ohci1
usb1: USB revision 1.0
uhub1: SiS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
ohci2: <SiS 5571 USB controller> mem 0xe1101000-0xe1101fff irq 22 at device
3.2 on pci0
ohci2: [GIANT-LOCKED]
usb2: OHCI version 1.0, legacy support
usb2: <SiS 5571 USB controller> on ohci2
usb2: USB revision 1.0
uhub2: SiS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
pci0: <serial bus, USB> at device 3.3 (no driver attached)
xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xe000-0xe07f mem
0xe1103000-0xe110307f irq 17 at device 9.0 on pci0
miibus0: <MII bus> on xl0
bmtphy0: <3c905B 10/100 internal PHY> on miibus0
bmtphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
xl0: Ethernet address: 00:50:04:76:49:e7
fdc0: <floppy drive controller> port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on
acpi0
sio0: type 16550A
orm0: <ISA Option ROM> at iomem 0xc0000-0xcbfff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 2806375656 Hz quality 800
Timecounters tick every 10.000 msec
ad0: 78167MB <Maxtor 6Y080L0/YAR41VW0> [158816/16/63] at ata0-master UDMA133
acd0: CDROM <CDU5211/YYS7> at ata1-master UDMA33
Mounting root from ufs:/dev/ad0s1a
ipfw2 initialized, divert disabled, rule-based forwarding disabled, default
to deny, logging disabled
my kernel config:
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.413.2.6.2.2 2004/10/24 18:02:52
scottl Exp $
machine i386
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident XXXXXXXX
maxusers 1024
options PMAP_SHPGPERPROC=400
options KVA_PAGES=384
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for
devices.
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big
directories
options MD_ROOT # MD is a potential root device
#options NFSCLIENT # Network Filesystem Client
#options NFSSERVER # Network Filesystem Server
#options NFS_ROOT # NFS usable as /, requires
NFSCLIENT
#options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires
PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP
THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options SCSI_DELAY=15000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APIC
# Bus support. Do not remove isa, even if you have no isa slots
device isa
#device eisa
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
#device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
#device ahb # EISA AHA1742 family
#device ahc # AHA2940 and onboard AIC7xxx devices
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#device amd # AMD 53C974 (Tekram DC-390(T))
#device isp # Qlogic family
#device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets + those
of `ncr')
#device trm # Tekram DC395U/UW/F DC315U adapters
#device adv # Advansys SCSI adapters
#device adw # Advansys wide SCSI adapters
#device aha # Adaptec 154x SCSI adapters
#device aic # Adaptec 15[012]x SCSI adapters,
AIC-6[23]60.
#device bt # Buslogic/Mylex MultiMaster SCSI adapters
#device ncv # NCR 53C500
#device nsp # Workbit Ninja SCSI-3
#device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV - See NOTES for
options
#device hptmv # Highpoint RocketRAID 182x
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
#device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
# Enable this for the pcvt (VT220 compatible) console driver
#device vt
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
device agp # support several AGP chipsets
# Floating point support - do not disable.
device npx
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device sio # 8250, 16[45]50 based serial ports
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
#device lpt # Printer
#device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 adapter Gigabit Ethernet
Card
device ixgb # Intel PRO/10GbE Ethernet Card
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device lge # Level 1 LXT1001 gigabit ethernet
device nge # NatSemi DP83820 gigabit ethernet
device pcn # AMD Am79C97x PCI 10/100 (precedence over
'lnc')
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (``Starfire'')
device sis # Silicon Integrated Systems SiS 900/SiS
7016
device sk # SysKonnect SK-984x & SK-982x gigabit
Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device ti # Alteon Networks Tigon I/II gigabit
Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 ``EPIC'')
device vge # VIA VT612x gigabit ethernet
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device lnc # NE2100, NE32-VL Lance Ethernet cards
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# ISA devices that use the old ISA shims
#device le
# Wireless NIC cards
#device wlan # 802.11 support
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device awi # BayStack 660 and others
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless
NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
# Pseudo devices.
device loop # Network loopback
device mem # Memory and kernel memory devices
device io # I/O device
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
#device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
#device urio # Diamond Rio 500 MP3 player
#device uscanner # Scanners
# USB Ethernet, requires mii
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
my make.conf file:
CPUTYPE?=p4
#NO_CPU_CFLAGS= true # Don't add -march=<cpu> to CFLAGS automatically
#NO_CPU_COPTFLAGS=true # Don't add -march=<cpu> to COPTFLAGS automatically
#COPTFLAGS= -O -pipe # Yes, this line is commented out!
More information about the freebsd-stable
mailing list