SFTP connection hangs on "SSH2_MSG_KEXINIT sent"

Question

I am struggling to connect via SFTP to my AWS test account from my on-prem server.

When I cd into the directory where my private ssh-key and run sftp -v -i <private_key_file> <client>@<hostname> this is what I am getting:

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to <hostname> [<IP Adress>] port 22.
debug1: Connection established.
debug1: identity file <private_key_file> type 1
debug1: key_load_public: No such file or directory
debug1: identity file <private_key_file>-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version AWS_SFTP_1.1
debug1: no match: AWS_SFTP_1.1
debug1: Authenticating to <hostname>:22 as 'client'
debug1: SSH2_MSG_KEXINIT sent

and after much longer I get Couldn't read packet: Connection reset by peer.

The weird thing is that when I do the same connection from the same on-prem server to my AWS dev account, it works fine. The AWS test environment is where this doesn't work. I have obviously assigned another public key to the client that sits on my AWS test environment and referencing the new private one in the command above.

Any help would be truly appreciated.

Answer 1

SSH freezing after SSH2_MSG_KEXINIT sent is a sure sign that there is a problem with the MTU.

Path MTU Discovery is supposed to determine the MTU automatically for you. Depending on firewall rules in between and the operating systems on both end, that might no work however.

If Path MTU Discovery does not work, you have to set the MTU manually.

I suggest starting with 1400 and go up to the highest value that still works.

How to set the MTU and and make the change persistent depends on the operating system.