MX100 Client VPN Now Blocking SSH

Solved
soundman353
Here to help

MX100 Client VPN Now Blocking SSH

Hello All,

I tried to SSH into a few machines over the Client VPN today, all of them have timed-out. It was working earlier this week and no firewall changes between now and then. Any ideas?

Shawn

1 Accepted Solution
soundman353
Here to help

The reboot fixed the issue.

View solution in original post

13 Replies 13
CptnCrnch
Kind of a big deal
Kind of a big deal

I'd take a closer look at my logs and possibly start a Trace for these kind of connections.

DarrenOC
Kind of a big deal
Kind of a big deal

Hi @soundman353 

 

@As @CptnCrnch says try running a packet capture on the MX100 outbound interface. Run the output through Wireshark and it should give you a good idea of what’s going on.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
soundman353
Here to help

I did Wireshark run on the Client VPN, MX LAN and the Core Switch. I see the traffic on the Client VPN capture but no where else. Every request is answered with a retransmit from the all of the devices I am trying to SSH.

soundman353_0-1596199879271.png

 

CptnCrnch
Kind of a big deal
Kind of a big deal

Strictly speaking, you connections are getting back a Reset / RST. Sounds like there is no service listening...

 

Is this a trace on the client or where did you capture?

soundman353
Here to help

I can SSH to the any of the end points from within the LAN, so there is services listening.

 

It was the on the MX Client VPN via the Meraki dashboard.

CptnCrnch
Kind of a big deal
Kind of a big deal

Anything else between clientband SSH server? Your trace clearly shows that connection resets are being returned, so there has to be some device that does this. Normally some kind of firewall.

 

Without further knowledge about the setup, we can only guess...

soundman353
Here to help

The only firewall (other than hosts firewalls) is the Meraki MX100. I will power cycle the unit tonight and see if that clears everything.

soundman353
Here to help

The reboot fixed the issue.

PhilipDAth
Kind of a big deal
Kind of a big deal

If a reboot fixed it - then there is a software issue on the MX.

 

I'd be looking at doing a firmware upgrade.

soundman353
Here to help

It is at the highest stable firmware.

PhilipDAth
Kind of a big deal
Kind of a big deal

You can either be patient and wait for the next release, or try the stable release candidate ...

soundman353
Here to help

Since it's happening again, I think I will try the stable release.

soundman353
Here to help

I applied the Stable Release candidate firmware, and the problem seems to be solve.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels