Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

Nautilus file manager stuck - X11 forwarding

Hi Team,

I am facing peculiar issue with Remote Access VPN and running out of options. TAC is involved but the issue is really tricky.

  1. Customer is using Remote access VPN. firewalls are on R80.10
  2. This is Endpoint VPN. So here is the issue, 
  3. User sitting on Internet opens up Remote access session to firewall
  4. Once connected user opens up Mobaxterm and starts SSH Session with X11 forwarding; the command is ssh -XY user@IP-Address
  5. On shell he opens nautilus and nautilus [file manager on linux] hangs.
  6. If the same is opened on LAN it opens up immediately. 

What could be an issue? I captured the packet at different level however its confirmed that session is initiated from Client to server on port 22 and nautilus gets opened in same tunnel.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
6 Replies
Timothy_Hall
Legend Legend
Legend

Make sure that reject_x11_in_any is unchecked in the Global Properties under Advanced...Advanced Configuration...Configure...Firewall-1...Stateful Inspection.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Blason_R
Leader
Leader

That's the first thing I did and didn't work.

However since connection is encrypted through SSH I really doubt firewall would understand X11 forwarding inside?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Timothy_Hall
Legend Legend
Legend

When starting up is Nautilus trying to reach an area of the internal network that is not allowed by the Endpoint Policy, not allowed by the Firewall's policy, or otherwise not part of the VPN domain and therefore not reachable?

Also this is a long shot but if Endpoint Security is currently using IKE/IPSec try changing the transport to SSL/TLS to rule out a possible intervening low MTU issue: sk107433: How to change transport method with Endpoint Clients

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Blason_R
Leader
Leader

This is again connected with port 443 Visitor Mode. This is something unique that I am not able to capture for sure.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
John_Fleming
Advisor

yeah, the firewall would only see ssh( ssh has an option to automatically setup X11 redirects over the ssh tunnel ). I honestly don't get how anyone uses that. Doing something like opening a web browser over X11 over ssh is a completely horrible exp. Vnc, xrdp or virt-viewer are the only really usable remote video systems i've used on unix box. 

X11 over none ssh might be more usable but the voodoo involved with getting that working has always escaped me.

0 Kudos
PhoneBoy
Admin
Admin

If it’s me, I’d be checking what a successful connection looks like versus an unsuccessful connection from the server (with tcpdump or similar).
If they look identical, then it may be something on the gateway/endpoint configuration.
If they look different (other than IPs, obviously), then it may not be entirely gateway/endpoint related 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events