Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 4880 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access auxiliary firewall web admin via SSH tunnel

Richard Westebbe

Hi, 

I tried to access the auxiliary devices of several our customers via an ssh tunnel using "ssh -D 7777 admin@firewall.customer.xyz" and than using localhost:7777 as socks proxy in Firefox. There I use the peer administration IP on port 4444 to access it. This is not possible, as it is impossible to ping the auxiliary device on the peer administration IP. The peer administration IP is within the LAN zone and HTTP access an Ping is allowed in "Device Access". 

Watching the shell output on the primary device while trying to access the web admin console via the ssh tunnel, I get the following error messages:


 

channel 3: open failed: connect failed: No route to host
channel 4: open failed: connect failed: No route to host
channel 3: open failed: connect failed: No route to host
channel 4: open failed: connect failed: No route to host


When I try to access the auxiliary device from an computer within the LAN of the customer, I don't experience any problems. Due to that I asume that the routing is broken when the connection is tunneled with SSH. 

Setting a static route, doesn't work either. 

Is there anybody who can explain this behaivor and give me a solution to the problem?

Thanks in advance

Richard



This thread was automatically locked due to age.
Parents
  • 0

    You cant access the Firewall Aux from the Primary on a loopback interface base. This will mix up the Linux on Aux.
    Therefore use the Primary SSH and access directly the HA Link instead. 
    Webadmin is not reachable with this link (what would be the use case to access Aux webadmin?)https://support.sophos.com/support/s/article/KB-000035558?language=en_US 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your answer, I tried to access the auxiliary device to check whether an SSD-Firmware Update is required, as stated in the knowledge base article. (You can do it vial CLI, too, I know). But as we needed to the web console of the Aux sometimes I want to get this fixed. 

    I'm coming from remote, so I wouldn't call that an "loopback interface base". Trying to access the HA Link via the tunnel isn't possible either, even though HTTP access for the DMZ zone is allowed. 

  • 0 in reply to Richard Westebbe

    The problem is: You come from MAC Addresses, which are on the AUX as well. It confuses the Aux appliance. Aux holds all MAC and IP addresses like Primary. Therefore the throughput to Aux on Primary are problematic. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Richard Westebbe

    The problem is: You come from MAC Addresses, which are on the AUX as well. It confuses the Aux appliance. Aux holds all MAC and IP addresses like Primary. Therefore the throughput to Aux on Primary are problematic. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Hmm, I understand what you say, but I'm wondering why the Aux is then accessible from the LAN on the peer administration IP. If it's correct what you're saying, the interface that holds the peer administration IP would have the same MAC address as the same interface on the Primary. 

    So, within in the LAN it would be luck whether you reach the interface holding the peer administration IP on the Aux or the internal LAN interface of the Primary, and vice versa. If that would be the case the peer administration settings in the HA configuration wouldn't make any sense at all, or do I understand something wrong?

  • 0 in reply to Richard Westebbe

    I checked the MAC addresses of the primary and the auxiliary device with ifconfig, they differ in all cases. 

Unfiltered HTML