https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-connection-failed-when-it-go-through-the-firewall-across/m-p/186159#M34261 <P>Hello everyone.&nbsp;</P><P>As shown as attached, we use Checkpoint 3600 as our gateway and connect it to our core switch.</P><P>We observed that SSH connection from VLAN-A to VLAN-B is failed.<BR />For example, We use laptop with VLAN10 IP to SSH access Cisco network switch which with VLAN20, but connection is failed.<BR />We use SSHv2 and observed Checkpoint firewall accept SSHv2 on log level, but connection is failed.At the same time there is SSHv1 releated drop log but do not know if SSHv2 connection failed and SSHv1 drop log are connected or not.</P><P><BR />Also, we tryied using the same laptop with VLAN20 IP and observed SSHv2 connection is worked.<BR />We did not filter anything on Cisco switch and also observed the same behavior with other platform like Cisco 9200 and HP A5800 network switch.Therefore, we believe that it fails only when packet go through the firewall/across VLANs.<BR />Could anyone share how to investigate futher on Checkpoint or solve this issue? Thanks.</P> Wed, 12 Jul 2023 00:52:19 GMT Sung 2023-07-12T00:52:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-connection-failed-when-it-go-through-the-firewall-across/m-p/186159#M34261 <P>Hello everyone.&nbsp;</P><P>As shown as attached, we use Checkpoint 3600 as our gateway and connect it to our core switch.</P><P>We observed that SSH connection from VLAN-A to VLAN-B is failed.<BR />For example, We use laptop with VLAN10 IP to SSH access Cisco network switch which with VLAN20, but connection is failed.<BR />We use SSHv2 and observed Checkpoint firewall accept SSHv2 on log level, but connection is failed.At the same time there is SSHv1 releated drop log but do not know if SSHv2 connection failed and SSHv1 drop log are connected or not.</P><P><BR />Also, we tryied using the same laptop with VLAN20 IP and observed SSHv2 connection is worked.<BR />We did not filter anything on Cisco switch and also observed the same behavior with other platform like Cisco 9200 and HP A5800 network switch.Therefore, we believe that it fails only when packet go through the firewall/across VLANs.<BR />Could anyone share how to investigate futher on Checkpoint or solve this issue? Thanks.</P> Wed, 12 Jul 2023 00:52:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-connection-failed-when-it-go-through-the-firewall-across/m-p/186159#M34261 Sung 2023-07-12T00:52:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-connection-failed-when-it-go-through-the-firewall-across/m-p/186164#M34262 <P>I will give you basic command I would do first, it should provide an idea as to why it fails. So, lets pretend IP involved is 1.2.3.4 trying to ssh</P> <P>You could do this from expert on the fw -&gt; fw ctl zdebug + drop | grep 1.2.3.4 | grep "22"</P> <P>You can run same command just grepping for port 22</P> <P>Alternatively, you can also do fw monitor -e "accept host(1.2.3.4) and port(22);"</P> <P>There is also fw monitor -F filter, which is real good, so say src is 1.2.3.4 and dst is 2.3.4.5 and dst port is 22, it would look like below</P> <P>fw monitor -F "1.2.3.4,0,2.3.4.5,22,0" -F "2.3.4.5,0,1.2.3.4,22,0"</P> <P>Idea is this "srcip,src port, dst ip, dst port, protocol"</P> <P>Needless to say, you dont care about src port, as its totally irrelevant.</P> <P>Hope that helps.</P> <P>Andy</P> Wed, 12 Jul 2023 01:13:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-connection-failed-when-it-go-through-the-firewall-across/m-p/186164#M34262 the_rock 2023-07-12T01:13:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-connection-failed-when-it-go-through-the-firewall-across/m-p/187139#M34464 <P>Thank you. Will check with these debug commands and see what can we see.</P> Fri, 21 Jul 2023 05:24:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSH-connection-failed-when-it-go-through-the-firewall-across/m-p/187139#M34464 Sung 2023-07-21T05:24:56Z