[OmniOS-discuss] strangeness ssh into omnios from oi_151a9

[Eric Sproul]

On Sun, Aug 23, 2015 at 9:19 PM, Dan McDonald <danmcd at omniti.com> wrote:
> I'm not seeing it.  Do you maybe have PathMTU issues, or are these same-subnet machines?

This sounds a lot like a split-path routing issue, so knowing whether
these machines are on the same subnet would be key.

I've had this happen in the past with multi-homed machines, where the
initiating TCP client's packets traverse a router/firewall with
stateful filtering and "hair-pin" back onto the local subnet (perhaps
due to DNAT or other fancy tricks).  Since the destination knows it is
directly connected to the network of the source IP, it responds
directly back to the client, bypassing the router.  Thus the stateful
firewall sees only one half of the connection, and misses any
negotiated changes, e.g. TCP window-scaling that might occur.  As soon
as the client sends a scaled-window packet, the firewall drops it as
invalid, and the client experiences a hang in connectivity.  The
solution of course is, Don't Do That(tm).  Multi-homing should be
employed along with split-horizon DNS or firewall routing rules that
NAT the source to ensure responses come back through the router.

But maybe all this is moot if you're not multi-homing or doing
anything similarly "fancy" between your OI and OmniOS hosts.

Eric