Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Champion
Champion

Unable to ssh into CP 1100 appliance

Jump to solution

Hey guys,

I know this may sound like a really silly question, but I cant seem to figure it out. Im not expert in these CP embedded gaia appliances at all, but seems pretty straight forward. I can access customer's web UI fine via one of our remote servers, but no matter what, ssh never works. I even followed below, but still the same.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Is there anything else thats required for this to work? I checked the policy, as its locally managed and no restrictions at all.

Any help would be appreciated!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Champion
Champion

Thanks G...customer added a local work station into allowed list for access and was able to get ssh and run show config. Appreciate your help!

View solution in original post

0 Kudos
13 Replies
G_W_Albrecht
Legend
Legend

I would suggest to check the Logs - if SSH connect is impossible the logs should tell something about that. Only things that come to my mind is that RSA key files for SSH are configured (sk106836 How to configure SSH authentication using RSA key files on Security Gateway 80 / 600 / 700 / 1100 / 1200R/ 1400 appliance) and/or SSH access is restricted (sk167199 How to disable username/password login for SSH on Embedded GAIA).

CCSE CCTE SMB Specialist
0 Kudos
the_rock
Champion
Champion

Thanks G, appreciated. See, the problem is we cant do much about either sk, since we cant even ssh into the appliance : (. yes, that was the first thing I looked at and all I see is when I filter for ssh is that there were bunch of logs showing unauthorized access from IPs not allowed, which makes sense, but the issue is I cant even ping the 192.168.x.x IP address listed there, so thats what Im working on at the moment to see if I can somehow gain access to it. I attached a screenshot of the logs.

0 Kudos
G_W_Albrecht
Legend
Legend

I would use console access to tame it 😉

CCSE CCTE SMB Specialist
0 Kudos
the_rock
Champion
Champion

I hear ya brother : - ). Im not the guy to give up easily on things, but getting little discouraged here, haha. Thanks again!

0 Kudos
the_rock
Champion
Champion

By the way, just wondering, maybe I missed this in the guide, does same command work on 1100 to get config via ssh? show configuration or is it different?

0 Kudos
G_W_Albrecht
Legend
Legend

show configuration works in clish of Embedded GAiA

CCSE CCTE SMB Specialist
0 Kudos
the_rock
Champion
Champion

Thanks G...customer added a local work station into allowed list for access and was able to get ssh and run show config. Appreciate your help!

0 Kudos
G_W_Albrecht
Legend
Legend

Kudo appreciated 😎

CCSE CCTE SMB Specialist
the_rock
Champion
Champion

Thank you as always...I personally consider you top person in the world as 1100 expert, so I know any advice you give is always correct!

0 Kudos
G_W_Albrecht
Legend
Legend

I would not bet upon that, bro - mistakes are made very easily, and i have also written some B+++s+++ in past posts...

CCSE CCTE SMB Specialist
0 Kudos
the_rock
Champion
Champion

Well, truth be told, we all write BS sometimes LOL

0 Kudos
PhoneBoy
Admin
Admin

What is the precise behavior you see on the client side?
If it's a timeout, it could be getting blocked upstream.
If it connects but "fails" somehow... then it would be good to know what messages you're getting.

Note that the SSH daemon on the 1100 is pretty old, so it won't necessarily support all the latest ciphers.
That could conceivably cause issues with some clients (particularly if SSH keys are used for auth).

All of this would be much easier to troubleshoot with console access, of course.

0 Kudos
the_rock
Champion
Champion

Thanks as always D. Yea, so we keep getting connection refused and I even aded rule manually to allow everything from any source and no luck. I got a permission to reboot it later tonight, so will see if that helps. If not, I told cusotmer they need to get console.

 

Thanksguys!

0 Kudos