ssh problem on mac os x

Reply
L4 Transporter

ssh problem on mac os x

Hey guys,

 

I have such a weird problem.

 

A user has to connect to a samba server. He does it on his mac with cyberduck, Port 999 and ssh.

 

in the monitor, the application is "incomplete", the action is "allow", and session end reason is "aged-out".

 

Currently, the concerning firewall policy to this public server is any app and any service.

 

However, the connection doesn't work. It can't connect.

 

What's the deal here?

 

PS: It worked yesterday! So I think there is something wrong with the firewall (PA 3020).

I also restored the backup from yesterday, however, it doesn't work!

 

What can I do? Restart dataplane? Restart the whole device?

 

Thank you very much.

 

L6 Presenter

Re: ssh problem on mac os x

Hi,

 

Can you ping a server from PA? Looks like TCP handshake is not complete. Any NAT in place? Check detailed traffic log reason and bytes received/sent.

 

Thx,

Myky

L4 Transporter

Re: ssh problem on mac os x

Yes I can ping the public ip of the server. as source interface I used the gateway which the mac uses.

Yes, there is NAT in place.

 

detailed log view:

Bytes send: 640

Bytes received: 0

Repeat Count: 1

Packets: 8

L6 Presenter

Re: ssh problem on mac os x

Hi,

 

Looks like you stealing an information:) Just post snip of your detailed session and NAT rule for the client (wipe sensitive info from logs).  What version of PAN-OS you running? 

Thx,

Myky

L4 Transporter

Re: ssh problem on mac os x

Hey Myky,

sorry.

 

PA1.JPG

Security Rule:

PA2.JPG

 

 

NAT Rule is just a dynamic-ip-and-port Source Translation.

 

PAN OS: 7.0.7

 

The weird thing is, this worked yesterday.

L6 Presenter

Re: ssh problem on mac os x

Looks to me that the server is not responding to the ssh request on port 999. 

Can you try from the cli on Palo and do PCAP put the filter to the server ip addrtess :

 

> ssh port 999 source (external ip) host (server ip)

Highlighted
kdd
L4 Transporter

Re: ssh problem on mac os x

Hi MPI-AE,

 

does the server listening to port 999 or is it 22 which is often used for ssh. As it worked before did you do nat as well ?

 

Regards,

Klaus

L4 Transporter

Re: ssh problem on mac os x

You were right, our public NAT IP was blocked in the server's internal firewall.

Thank you!

 

PS: What effect does "Restart Dataplane" under Device -> Operations have?

When do I use it?

L6 Presenter

Re: ssh problem on mac os x

 

Good point actually. As it was a silent drop (no RST or reject received by PA). Dataplane @reaper should have an answer. l never use that option

L7 Applicator

Re: ssh problem on mac os x

The dataplane is what actually processes all of your traffic. Restarting it would essentially temporarly stop traffic from being processed while the dataplane comes back up. You really only use it if you suspect that one of the processes isn't functioning correctly and need to restart it without actually restarting the box. It's quite a bit faster than restarting the whole thing as you only have to wait for 'half' the box to come back up. This graph might help. 

 

Palo-Alto-FW-Architecture.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!