Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KM1895
Participant

ssh access issues

 

hi,

 

I have a strange challenge on a cluster. SSH access from a specific jump host is not working.

tcpdump shows that the fw receives the syn packet, but doesnt send any replies back. Smartconsole logs also show that the request is accepted, and there are no antispoofing issues.

i can access the fw on ssh from another location, which kinda adds to the whole mystery.

there is nothing logged when running zdebug drop, so for all intent and purposes, the packet is received, then "vanishes" after that.

Anyone seen anything similar before?

0 Kudos
4 Replies
Timothy_Hall
Champion
Champion

Sounds like the Gaia OS is "eating" the packet, if you run fw monitor do you see the packet at capture points iI then nothing else?

In the Gaia web interface check the Allowed Hosts screen under System Management...Host Access, you probably have some Gaia-based SSH/HTTPS restrictions defined there.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Bob_Zimmerman
Advisor

Would also be worth confirming routing back to the jump host in question. It's possible the firewall is sending the SYN-ACK, just out a different interface than expected. The simplest way to confirm routing is with 'ip route get', like so:

[Expert@LabSC]# ip route get 1.1.1.1
1.1.1.1 via 10.0.1.1 dev eth1 src 10.0.1.253 
    cache 

That output says I will use eth1 to get to that destination, and I will use the gateway address 10.0.1.1. My source for transmitted traffic will be 10.0.1.253.

0 Kudos
the_rock
Authority
Authority

Timothy actually brought up a good point...maybe do fw monitor to see what happens. Allowed Hosts in web GUI could also cause an issue if configured for specific hosts.

0 Kudos
Timothy_Hall
Champion
Champion

Yes and because the SSH traffic is to the gateway itself, that traffic will always go F2F so no need to disable SecureXL for the traffic to be visible with fw monitor -e.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos