Arista – slow ssh login

glitchlist Uncategorized Leave a Comment

A common issue is when accessing a switch via SSH it takes a long time for the user to login and then after that the connection flows smoothly.

This is generally due to the fact that SSH does a reverse DNS lookup for the remote device and the DNS query times out.

Another common issue is that the management interface is in a VRF but the name servers are not defined in the VRF. To configure a name server in the vrf “management”

ip name-server vrf management 10.1.1.10

Ensure that you can ping the DNS server from the switch. If the DNS server is in a VRF be sure to specify the VRF in the ping command

Switch#ping vrf management 10.1.1.10

A quick test is to wait until the user is logged in and then execute the command “show user” This will produce the IP address of the remote device and then perform a DNS lookup to see if the lookup succeeds. Below we see an example of a failure.

Switch#show users
Line      User        Host(s)       Idle        Location
1 con 0    admin       idle          01:37:00    -
2 vty 4    admin       idle          00:00:39    10.95.1.172

Switch#bash nslookup 10.95.1.172
;; connection timed out; no servers could be reached

If DNS is the issue and you don’t have control over the DNS servers to add the reverse lookup entries you can disable SSH from doing DNS reverse lookups. This is accomplished by modifying the  /etc/ssh/sshd_config file and restarting the ssh process.

Disable the reverse DNS lookup for SSH and kill or restart the SSH process.

  • bash sudo echo “UseDNS no” >> /etc/ssh/sshd_config
  • bash sudo service sshd restart
    • Or from the bash prompt if you prefer
[user@Switch ~]$ ps aux | grep ssh
root      1843  0.3  0.3  37616 15600 ?        Ss   14:14   0:00 sshd: user [priv]
root      2044  0.0  0.0  10488  1304 ?        Ss   Aug14   0:00 /usr/sbin/sshd
[user@Switch ~]

$ kill –HUP 2044

Be aware of that upon a reboot this setting will be lost. This is intended for troubleshooting and as a temporary fix. The permanent fix is to get the DNS servers to resolve the reverse lookups.

Leave a Reply

Your email address will not be published. Required fields are marked *