Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Silver

Nautilus file manager stuck - X11 forwarding

Hi Team,

I am facing peculiar issue with Remote Access VPN and running out of options. TAC is involved but the issue is really tricky.

  1. Customer is using Remote access VPN. firewalls are on R80.10
  2. This is Endpoint VPN. So here is the issue, 
  3. User sitting on Internet opens up Remote access session to firewall
  4. Once connected user opens up Mobaxterm and starts SSH Session with X11 forwarding; the command is ssh -XY user@IP-Address
  5. On shell he opens nautilus and nautilus [file manager on linux] hangs.
  6. If the same is opened on LAN it opens up immediately. 

What could be an issue? I captured the packet at different level however its confirmed that session is initiated from Client to server on port 22 and nautilus gets opened in same tunnel.

 

0 Kudos
6 Replies
Highlighted

Make sure that reject_x11_in_any is unchecked in the Global Properties under Advanced...Advanced Configuration...Configure...Firewall-1...Stateful Inspection.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Silver

That's the first thing I did and didn't work.

However since connection is encrypted through SSH I really doubt firewall would understand X11 forwarding inside?

0 Kudos
Highlighted

When starting up is Nautilus trying to reach an area of the internal network that is not allowed by the Endpoint Policy, not allowed by the Firewall's policy, or otherwise not part of the VPN domain and therefore not reachable?

Also this is a long shot but if Endpoint Security is currently using IKE/IPSec try changing the transport to SSL/TLS to rule out a possible intervening low MTU issue: sk107433: How to change transport method with Endpoint Clients

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Silver

This is again connected with port 443 Visitor Mode. This is something unique that I am not able to capture for sure.

 

0 Kudos
Highlighted

yeah, the firewall would only see ssh( ssh has an option to automatically setup X11 redirects over the ssh tunnel ). I honestly don't get how anyone uses that. Doing something like opening a web browser over X11 over ssh is a completely horrible exp. Vnc, xrdp or virt-viewer are the only really usable remote video systems i've used on unix box. 

X11 over none ssh might be more usable but the voodoo involved with getting that working has always escaped me.

0 Kudos
Highlighted
Admin
Admin

If it’s me, I’d be checking what a successful connection looks like versus an unsuccessful connection from the server (with tcpdump or similar).
If they look identical, then it may be something on the gateway/endpoint configuration.
If they look different (other than IPs, obviously), then it may not be entirely gateway/endpoint related 

0 Kudos