topic Re: ssh problem on mac os x in General Topics

ssh problem on mac os x

MPI-AE — Thu, 26 Jan 2017 07:44:22 GMT

Hey guys,

I have such a weird problem.

A user has to connect to a samba server. He does it on his mac with cyberduck, Port 999 and ssh.

in the monitor, the application is "incomplete", the action is "allow", and session end reason is "aged-out".

Currently, the concerning firewall policy to this public server is any app and any service.

However, the connection doesn't work. It can't connect.

What's the deal here?

PS: It worked yesterday! So I think there is something wrong with the firewall (PA 3020).

I also restored the backup from yesterday, however, it doesn't work!

What can I do? Restart dataplane? Restart the whole device?

Thank you very much.

Re: ssh problem on mac os x

TranceforLife — Thu, 26 Jan 2017 07:41:26 GMT

Hi,

Can you ping a server from PA? Looks like TCP handshake is not complete. Any NAT in place? Check detailed traffic log reason and bytes received/sent.

Thx,

Myky

Re: ssh problem on mac os x

MPI-AE — Thu, 26 Jan 2017 07:50:26 GMT

Yes I can ping the public ip of the server. as source interface I used the gateway which the mac uses.

Yes, there is NAT in place.

detailed log view:

Bytes send: 640

Bytes received: 0

Repeat Count: 1

Packets: 8

Re: ssh problem on mac os x

TranceforLife — Thu, 26 Jan 2017 08:06:17 GMT

Hi,

Looks like you stealing an information:) Just post snip of your detailed session and NAT rule for the client (wipe sensitive info from logs). What version of PAN-OS you running?

Thx,

Myky

Re: ssh problem on mac os x

MPI-AE — Thu, 26 Jan 2017 08:17:06 GMT

Hey Myky,

sorry.

Security Rule:

NAT Rule is just a dynamic-ip-and-port Source Translation.

PAN OS: 7.0.7

The weird thing is, this worked yesterday.

Re: ssh problem on mac os x

TranceforLife — Thu, 26 Jan 2017 08:52:49 GMT

Looks to me that the server is not responding to the ssh request on port 999.

Can you try from the cli on Palo and do PCAP put the filter to the server ip addrtess :

> ssh port 999 source (external ip) host (server ip)

Re: ssh problem on mac os x

kdd — Thu, 26 Jan 2017 09:59:48 GMT

Hi MPI-AE,

does the server listening to port 999 or is it 22 which is often used for ssh. As it worked before did you do nat as well ?

Regards,

Klaus

Re: ssh problem on mac os x

MPI-AE — Thu, 26 Jan 2017 11:02:42 GMT

You were right, our public NAT IP was blocked in the server's internal firewall.

Thank you!

PS: What effect does "Restart Dataplane" under Device -> Operations have?

When do I use it?

Re: ssh problem on mac os x

TranceforLife — Thu, 26 Jan 2017 12:41:34 GMT

Good point actually. As it was a silent drop (no RST or reject received by PA). Dataplane @reaper should have an answer. l never use that option

Re: ssh problem on mac os x

BPry — Thu, 26 Jan 2017 13:59:33 GMT

The dataplane is what actually processes all of your traffic. Restarting it would essentially temporarly stop traffic from being processed while the dataplane comes back up. You really only use it if you suspect that one of the processes isn't functioning correctly and need to restart it without actually restarting the box. It's quite a bit faster than restarting the whole thing as you only have to wait for 'half' the box to come back up. This graph might help.

Re: ssh problem on mac os x

TranceforLife — Thu, 26 Jan 2017 14:06:54 GMT

@BPry Pretty good explanation l would say. I did play with management plane process restart where the issues seen more often

Re: ssh problem on mac os x

BPry — Thu, 26 Jan 2017 14:18:24 GMT

@TranceforLife I would say that the majority of issues that people run into can be attributed to a management process and not a dataplane process. Really since restarting the dataplane is going to have an impact anyways most of the time if we do run into an issue that could be fixed with a dataplane restart we just restart the whole thing.

Re: ssh problem on mac os x

TranceforLife — Thu, 26 Jan 2017 15:10:07 GMT

Agreed same time control plane will get refreshed wich is also a good thing :0