Create a Post
Showing results for 
Search instead for 
Did you mean: 

SSH connection failed when it go through the firewall/across VLANs.

Hello everyone. 

As shown as attached, we use Checkpoint 3600 as our gateway and connect it to our core switch.

We observed that SSH connection from VLAN-A to VLAN-B is failed.
For example, We use laptop with VLAN10 IP to SSH access Cisco network switch which with VLAN20, but connection is failed.
We use SSHv2 and observed Checkpoint firewall accept SSHv2 on log level, but connection is failed.At the same time there is SSHv1 releated drop log but do not know if SSHv2 connection failed and SSHv1 drop log are connected or not.

Also, we tryied using the same laptop with VLAN20 IP and observed SSHv2 connection is worked.
We did not filter anything on Cisco switch and also observed the same behavior with other platform like Cisco 9200 and HP A5800 network switch.Therefore, we believe that it fails only when packet go through the firewall/across VLANs.
Could anyone share how to investigate futher on Checkpoint or solve this issue? Thanks.

0 Kudos
2 Replies

I will give you basic command I would do first, it should provide an idea as to why it fails. So, lets pretend IP involved is trying to ssh

You could do this from expert on the fw -> fw ctl zdebug + drop | grep | grep "22"

You can run same command just grepping for port 22

Alternatively, you can also do fw monitor -e "accept host( and port(22);"

There is also fw monitor -F filter, which is real good, so say src is and dst is and dst port is 22, it would look like below

fw monitor -F ",0,,22,0" -F ",0,,22,0"

Idea is this "srcip,src port, dst ip, dst port, protocol"

Needless to say, you dont care about src port, as its totally irrelevant.

Hope that helps.


0 Kudos

Thank you. Will check with these debug commands and see what can we see.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events