ssh randomly can connect, and sometimes "kex_exchange_identification: Connection closed by remote host"

2

Connecting to my server has never been a problem. But now I've added a mesh router in bridge mode to my regular router, and when I try to ssh to my server, sometimes it works fine, and other times the connection is closed at initiation with:

kex_exchange_identification: Connection closed by remote host

This is only when I am first trying to connect - on the times it succeeds in connecting, it stays connected just fine.

It also seems to fail more often with scp than ssh, which I find odd, but could just be my own non-statistical impressions...

I'm guessing the bridge mode is randomly getting in the way of the ssh and killing the connection, any thoughts?

David Ljung Madison Stellar

Posted 2019-08-16T19:40:04.783

Reputation: 372

1Try to set LogLevel DEBUG on the server in /etc/ssh/sshd_config and see auth.log for clues. I've been troubleshooting a problem with the similar symptoms just now and it turned out to be dropping connections due to MaxStartups limits, which was clearly seen in the debug log. – Queeq – 2019-09-17T10:11:04.597

1

Possibly helpful: https://edoceo.com/notabene/ssh-exchange-identification

– Shayaan – 2019-10-01T19:06:40.647

Thanks for the link, but all of those (except heavy load - which is not the problem) are for seeing this error every time, as opposed to occasionally, as I have been seeing it. – David Ljung Madison Stellar – 2019-10-10T22:40:14.743

Answers

0

I found this question from searching the web, because I was seeing the same error message and had no idea what it meant or what was causing it.

For me, the cause was having turned Intrusion Protection on in my Unifi Network controller. Some sort of firewall was incorrectly flagging my everyday SSH connection as a "Potential SSH Scan" and blocking it.

Threat Management Alert 2: Attempted Information Leak. Signature ET SCAN Potential SSH Scan OUTBOUND. From: 192.168.xxx.xxx:58944, to: 192.168.xxx.xxx:22, protocol: TCP

Rather than disable this additional helpful layer of network protection, I decided to temporarily whitelist the IP address for the development machine that is trusted to bypass these checks. Once whitelisted, everything was OK.

I'm uncertain if bridge mode alone would cause this, but my experience is similar to yours in that a piece of networking equipment was intercepting and prematurely terminating the connection before it made it outside of my LAN.

John James Jacoby

Posted 2019-08-16T19:40:04.783

Reputation: 1

That was a firewall causing the problem - but I don't have a firewall in the way. I presume when you "whitelisted the IP address" that was with the firewall? – David Ljung Madison Stellar – 2020-02-25T20:09:43.520

Asked: 2019-08-16T19:40:04.783

Viewed: 1 186 times

Active: 2020-02-25T03:18:56.470