A common issue is when accessing a switch via SSH it takes a long time for the user to login and then after that the connection flows smoothly. This is generally due to the fact that SSH does a reverse DNS lookup for the remote device and the DNS query times out.
Another common issue is that the management interface is in a VRF but the name servers are not defined in the VRF. To configure a name server in the vrf “management”
ip name-server vrf management 10.1.1.10
Ensure that you can ping the DNS server from the switch. If the DNS server is in a VRF be sure to specify the VRF in the ping command
Switch#ping vrf management 10.1.1.10
A quick test is to wait until the user is logged in and then execute the command “show user” This will produce the IP address of the remote device and then perform a DNS lookup to see if the lookup succeeds. Below we see an example of a failure.
Switch#show users Line User Host(s) Idle Location 1 con 0 admin idle 01:37:00 - 2 vty 4 admin idle 00:00:39 10.95.1.172 Switch#bash nslookup 10.95.1.172 ;; connection timed out; no servers could be reached
If DNS is the issue and you don’t have control over the DNS servers to add the reverse lookup entries you can disable SSH from doing DNS reverse lookups. This is accomplished by modifying the /etc/ssh/sshd_config file and restarting the ssh process.
Disable the reverse DNS lookup for SSH and kill or restart the SSH process.
- bash sudo echo “UseDNS no” >> /etc/ssh/sshd_config
- bash sudo service sshd restart
- Or from the bash prompt if you prefer
[user@Switch ~]$ ps aux | grep ssh root 1843 0.3 0.3 37616 15600 ? Ss 14:14 0:00 sshd: user [priv] root 2044 0.0 0.0 10488 1304 ? Ss Aug14 0:00 /usr/sbin/sshd [user@Switch ~]$ kill –HUP 2044
Be aware of that upon a reboot this setting will be lost. This is intended for troubleshooting and as a temporary fix. The permanent fix is to get the DNS servers to resolve the reverse lookups.