Meraki

Community

MX100 Client VPN Now Blocking SSH

Solved
soundman353
Here to help
‎Jul 30 2020 12:11 PM
‎Jul 30 2020 12:11 PM

MX100 Client VPN Now Blocking SSH

Hello All,

I tried to SSH into a few machines over the Client VPN today, all of them have timed-out. It was working earlier this week and no firewall changes between now and then. Any ideas?

Shawn

0 Kudos
1 Accepted Solution
In response to soundman353
soundman353
Here to help
‎Jul 31 2020 7:58 PM
‎Jul 31 2020 7:58 PM

The reboot fixed the issue.

View solution in original post

13 Replies 13
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jul 31 2020 12:07 AM
‎Jul 31 2020 12:07 AM

I'd take a closer look at my logs and possibly start a Trace for these kind of connections.

DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 31 2020 12:12 AM
‎Jul 31 2020 12:12 AM

Hi @soundman353 

 

@As @CptnCrnch says try running a packet capture on the MX100 outbound interface. Run the output through Wireshark and it should give you a good idea of what’s going on.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
soundman353
Here to help
‎Jul 31 2020 5:52 AM
‎Jul 31 2020 5:52 AM

I did Wireshark run on the Client VPN, MX LAN and the Core Switch. I see the traffic on the Client VPN capture but no where else. Every request is answered with a retransmit from the all of the devices I am trying to SSH.

soundman353_0-1596199879271.png

 

0 Kudos
In response to soundman353
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jul 31 2020 6:50 AM
‎Jul 31 2020 6:50 AM

Strictly speaking, you connections are getting back a Reset / RST. Sounds like there is no service listening...

 

Is this a trace on the client or where did you capture?

0 Kudos
In response to CptnCrnch
soundman353
Here to help
‎Jul 31 2020 7:18 AM
‎Jul 31 2020 7:18 AM

I can SSH to the any of the end points from within the LAN, so there is services listening.

 

It was the on the MX Client VPN via the Meraki dashboard.

0 Kudos
In response to soundman353
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jul 31 2020 7:39 AM
‎Jul 31 2020 7:39 AM

Anything else between clientband SSH server? Your trace clearly shows that connection resets are being returned, so there has to be some device that does this. Normally some kind of firewall.

 

Without further knowledge about the setup, we can only guess...

0 Kudos
In response to CptnCrnch
soundman353
Here to help
‎Jul 31 2020 7:45 AM
‎Jul 31 2020 7:45 AM

The only firewall (other than hosts firewalls) is the Meraki MX100. I will power cycle the unit tonight and see if that clears everything.

0 Kudos
In response to soundman353
soundman353
Here to help
‎Jul 31 2020 7:58 PM
‎Jul 31 2020 7:58 PM

The reboot fixed the issue.

In response to soundman353
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 1 2020 4:41 PM
‎Aug 1 2020 4:41 PM

If a reboot fixed it - then there is a software issue on the MX.

 

I'd be looking at doing a firmware upgrade.

0 Kudos
In response to PhilipDAth
soundman353
Here to help
‎Aug 1 2020 4:42 PM
‎Aug 1 2020 4:42 PM

It is at the highest stable firmware.

0 Kudos
In response to soundman353
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 1 2020 4:48 PM
‎Aug 1 2020 4:48 PM

You can either be patient and wait for the next release, or try the stable release candidate ...

0 Kudos
In response to PhilipDAth
soundman353
Here to help
‎Aug 4 2020 7:51 AM
‎Aug 4 2020 7:51 AM

Since it's happening again, I think I will try the stable release.

0 Kudos
In response to soundman353
soundman353
Here to help
‎Aug 17 2020 1:40 PM
‎Aug 17 2020 1:40 PM

I applied the Stable Release candidate firmware, and the problem seems to be solve.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.