Welcome to the VanDyke Software Forums

Join the discussion today!

Go Back   VanDyke Software Forums > SecureCRT on the Mac


Closed Thread
Thread Tools Display Modes
Old 10-17-2018, 01:12 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,099
Question FAQ: What's causing delay/hang/timeout when I attempt SSH2 connections?

If it seems your SSH2 connection attempts are hanging, taking a really long time, or timing out completely, it could be that SecureCRT is configured to attempt GSSAPI authentication or Kerberos key exchange in an environment where GSSAPI/Kerberos is not possible between your machine and the SSH2 host you're trying to reach.

To troubleshoot most connection issues, turn on Trace Options and try to establish the SSH connection again. Not familiar with Trace Options? File > Trace Options. You can view the Trace Options Debug Logging video for info about how to create a debug/troubleshooting log: https://youtu.be/kzEUhvxKvyY

If your Trace Options output includes anything resembling the following pattern, it's likely that the delay/hang/timeouts are being caused by your SecureCRT configuration:

[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@<host_you_are_trying_to_reach>
[LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.

The above pattern may likely be repeated for each GSS/Kerberos provider available on your system, which would explain the delays/timeouts that you are seeing when SecureCRT is attempting to establish a connection to the SSH server.

To resolve the problem, you can simply disable all GSSAPI and Kerberos related "Authentication" and "Key Exchange" methods in the SSH2 category of your Session Options as shown in the graphics below.



You can employ the power of editing the Default session to make these changes to all of your existing and future sessions. Here are some links to a tip and a video that provide more details about using the Default session to make mass changes to multiple sessions:
Note: In order for a "change" to be applied to all other sessions, the Default session's option/field you're targeting must actually be modified/different from its current value. This means that if the Authentication and Key Exchange fields in your Default session are *already* set how you want them (with GSSAPI auth and all the Kerberos kex methods disabled), you must first change the Default session's Auth and Kex methods to enable one or more of them in the Authentication and Key Exchange sections (and apply that "change" to just the Default session) and then edit the Default session again to set the GSSAPI Authentication and Kerberos-related Key Exchange entries so they're disabled, (and apply that "change" to ALL of your existing sessions).
Attached Images
File Type: png SCRT_SessionOptions_SSH2_Disable_GSSAPI_and_Kerberos.png (36.4 KB, 14398 views)
File Type: png SCRT_macOS_Disable_GSSAPI-and-Kerberos.png (269.8 KB, 14507 views)
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support

Last edited by bgagnon; 07-01-2021 at 09:22 AM. Reason: Removed word that was unnecessary (3rd paragraph, was includes anything *that*)
Closed Thread

cisco , connection closed , connection delays , connection hangs , connection timeouts , debugging , faq , mac , securecrt , troubleshooting

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -6. The time now is 01:35 AM.