I have a remote headless system (running bullseye, will be updating to
bookworm when I'm next there) that can connect to some systems using
ssh but not to others (to which I can connect from everywhere else).

It also can't ping the systems which it can't connect ssh to.

I can't see any pattern in the systems to which it can connect or
those which it can't connect to. It's connected via 4G so it's
CGNATted. I connect to it (using ssh) via a remote ssh tunnel that it
sets up when booted.

It gets the correct IP address for all 'my' systems that run an ssh
server and I can cannect to all these systems from my home desktop and
laptop machines using ssh.

Does anyone have any ideas on how to diagnose its failure to connect
to all of 'my' systems.

--
Chris Green

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 22, 2025 at 13:29:41 +0000, Chris Green wrote:

I have a remote headless system (running bullseye, will be updating to bookworm when I'm next there) that can connect to some systems using
ssh but not to others (to which I can connect from everywhere else).

What *actually* happens when you try? Show us the command you're
running and its full output.

If you need more details, try adding the -v option when you ssh.

It also can't ping the systems which it can't connect ssh to.

Again, seeing the *error message* from ping would be helpful.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 22, 2025 at 08:51:35AM -0500, Greg Wooledge wrote:

On Wed, Jan 22, 2025 at 13:29:41 +0000, Chris Green wrote:

I have a remote headless system (running bullseye, will be updating to bookworm when I'm next there) that can connect to some systems using
ssh but not to others (to which I can connect from everywhere else).

What *actually* happens when you try? Show us the command you're
running and its full output.

If you need more details, try adding the -v option when you ssh.

It also can't ping the systems which it can't connect ssh to.

Again, seeing the *error message* from ping would be helpful.

Yes, that would be totally useful. As has been stated in this
list last days, ping actually does two things for you:

- resolve the host's name to an IP address
- check connectivity to that host

Your input *and* ping's error message would tell us all which
of those steps fail.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ5D5JgAKCRAFyCz1etHa RmaKAJ44C5DsNofX70qrqTePZzYxStrdhgCcDir9LT8PiJbMlpaySFKydF7+7/U=
=l5Lt
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 22, 2025 at 01:29:41PM +0000, Chris Green wrote:

I have a remote headless system (running bullseye, will be updating to bookworm when I'm next there) that can connect to some systems using
ssh but not to others (to which I can connect from everywhere else).

It also can't ping the systems which it can't connect ssh to.

I can't see any pattern in the systems to which it can connect or
those which it can't connect to. It's connected via 4G so it's
CGNATted. I connect to it (using ssh) via a remote ssh tunnel that it
sets up when booted.

It gets the correct IP address for all 'my' systems that run an ssh
server and I can cannect to all these systems from my home desktop and
laptop machines using ssh.

Does anyone have any ideas on how to diagnose its failure to connect
to all of 'my' systems.

How many network interfaces have you got ? I suspect one (+ loopback).

What do you get when you run traceroute to something that you cannot connect to ?

What are your routing tables ?

Do you have a firewall ?

Is it an IPv4/IPv6 thing ? So that you can connect to systems over IPv4 but not IPv6 ?

Run:

host machine-that-you-can-ping

host machine-that-you-cannot-ping

Then try to ping the IPv4 and IPv6 addresses.

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 22, 2025 at 14:56:54 +0100, tomas@tuxteam.de wrote:

Yes, that would be totally useful. As has been stated in this
list last days, ping actually does two things for you:

- resolve the host's name to an IP address
- check connectivity to that host

Well, three really. It resolves the argument to an IP address if it
wasn't already one. It sends ICMP packets to that IP address.
It listens for responses.

If the name resolution step fails, then we know how to approach that.
The other steps can't take place until the name is resolved.

If the outgoing packets are fine but the responses are blocked, then
we would actually have unidirectional communications, but ping wouldn't
be able to tell us that.

If the outgoing packets are blocked (by some overzealous firewall,
perhaps), then the responses would never be generated in the first
place.

And of course there are some hosts on the Internet which are configured
to drop ICMP packets. So, if you're trying to ping one of those, you
won't receive any response packets.

It's not possible to differentiate the various failure states using ping
alone (at least not from a single host), but it's a good starting point.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 22, 2025 at 09:13:35AM -0500, Greg Wooledge wrote:

On Wed, Jan 22, 2025 at 14:56:54 +0100, tomas@tuxteam.de wrote:

Yes, that would be totally useful. As has been stated in this
list last days, ping actually does two things for you:

- resolve the host's name to an IP address
- check connectivity to that host

Well, three really. It resolves the argument to an IP address if it
wasn't already one. It sends ICMP packets to that IP address.
It listens for responses.

[...]

Of course, your answer is much more precise than mine. I'm somewhat
sloppy :-)

It's not possible to differentiate the various failure states using ping alone (at least not from a single host), but it's a good starting point.

This is why I subsumed (with quite a bit of handwaving) all the "other
cases" (beyond name resolution) under "connectivity to that host".

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ5D/uAAKCRAFyCz1etHa RkRsAJ4+E1t3cnv3hfKvVUpDZdgvWwmZcACdHmglY7R4p2pPME3ALITM6Bh5waI=
=OclQ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Alain D D Williams <addw@phcomp.co.uk> wrote:

On Wed, Jan 22, 2025 at 01:29:41PM +0000, Chris Green wrote:

I have a remote headless system (running bullseye, will be updating to bookworm when I'm next there) that can connect to some systems using
ssh but not to others (to which I can connect from everywhere else).

It also can't ping the systems which it can't connect ssh to.

I can't see any pattern in the systems to which it can connect or
those which it can't connect to. It's connected via 4G so it's
CGNATted. I connect to it (using ssh) via a remote ssh tunnel that it
sets up when booted.

It gets the correct IP address for all 'my' systems that run an ssh
server and I can cannect to all these systems from my home desktop and laptop machines using ssh.

Does anyone have any ideas on how to diagnose its failure to connect
to all of 'my' systems.

How many network interfaces have you got ? I suspect one (+ loopback).

What do you get when you run traceroute to something that you cannot connect to ?

Very little, I tried that. I get a trace to two local (non routable, 192.168..) addresses and then just stars.

What are your routing tables ?

Do you have a firewall ?

Is it an IPv4/IPv6 thing ? So that you can connect to systems over IPv4 but not
IPv6 ?

I did wonder that, but no, I can connect to some places with both IPV4
and IPV6 addresses but not others.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Greg Wooledge <greg@wooledge.org> wrote:

On Wed, Jan 22, 2025 at 13:29:41 +0000, Chris Green wrote:

I have a remote headless system (running bullseye, will be updating to bookworm when I'm next there) that can connect to some systems using
ssh but not to others (to which I can connect from everywhere else).

What *actually* happens when you try? Show us the command you're
running and its full output.

Absolutely nothing until ssh times out, ping just pings away and
reports 100% packet loss when I kill it.

If you need more details, try adding the -v option when you ssh.

It also can't ping the systems which it can't connect ssh to.

Again, seeing the *error message* from ping would be helpful.

See above.

But *%$^*%$%(*JGJHB me, it's started working now (I just did an "ssh
-v" to get more information). Typical! It's not been working for
well over a month.

All the ssh on the remote system have been automatically restarted
quite recently (I use autossh to keep them alive) and that seems to
have fixed everything. I didn't dare restart them manually because
it's them that set up the reverse tunnel to enable me to ssh to the
system.

The whole (remote) system seems to be running more quickly now, I
suspect something had 'stuck' somehow and has, for whatever reason,
become unstuck.

Sorry for the noise.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)