This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ssh_exchange_identification: read: Connection reset by peer

DavidLawson over 6 years ago

Hi all:

I am trying to troubleshoot an SSH connection issue across the UTM.

I have a device on the External network to my UTM which I can SSH to if I am on the external network.

IF I try to SSH to it from an internal network, I get the following error:

ssh_exchange_identification: read: Connection reset by peer.

I do not see anything regarding Port 22 in my FW logs. My first user rule is to allow SSH and log it, to this device.

[I wonder if it might be the IPS - it was functional at one time, but the config has been disabled when my license renewed., but I still can 'see' the config]

Where is the best place to look to find better info on allowing this traffic?

--david

This thread was automatically locked due to age.

0 BAlfson over 6 years ago

Hi David and welcome to the UTM Community!

You've already started on #1 in Rulz (last updated 2019-04-17), but you should still look at the Intrusion Prevention log - anything interesting there?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
- 0 DavidLawson over 6 years ago in reply to BAlfson
  
  only one file in IPS logs since last June. it was March 9th. 78K gz file and uncompresses to a zero byte file.
  
  All other logs files in IPS show as zero bytes.
  
  I'll add that I am not convinced that is 100% correct, I had a license that had greater functionality, and when I renewed it the new license file only permits certain functions. IPS is disabled in the config screen with a warning message, but I still see my edited IDS rules behind it.
  
  Also- further checking: nothing in the external host in hosts.deny or host.allow. Thought that perhaps my ip was OK but if natted behind the UTM, maybe the UTM had been denied.
  
  I did a verbose connection and it talks IP between the two, but when the ssh agreement should occur, it drop the connection.
  
  Where else would you suggest I look for evidence, (and TIA- I downloaded a copy of the RULZ to follow.
  
  Thank you Bob.
  - 0 BAlfson over 6 years ago in reply to DavidLawson
    
    This sounds like a DNS or routing issue, David. Is your internal client's IP masqueraded to the external device? Do you have split DNS?
    
    Cheers - Bob
    
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    
    MediaSoft, Inc. USA
  - 0 DavidLawson over 6 years ago in reply to BAlfson
    
    Hi Bob, and Thank you.
    
    I am connecting via IP - so I think DNS is not an issue. I have been poring through the logs, and can't find anything more than an accept on Port 22.
    
    2019:04:26-13:21:19 utmgw ulogd[4722]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="8" initf="eth1" outitf="eth0" srcmac="6c:40:08:b7:bc:a0" dstmac="00:26:55:d2:3b:31" srcip="172.16.0.71" dstip="192.168.250.4" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="53670" dstport="22" tcpflags="SYN"
    
    2019:04:26-13:23:28 utmgw ulogd[4722]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="10" initf="eth1" outitf="eth0" srcmac="6c:40:08:b7:bc:a0" dstmac="00:26:55:d2:3b:31" srcip="172.16.0.71" dstip="192.168.250.4" proto="1" length="84" tos="0x00" prec="0x00" ttl="63" type="8" code="0"
    
    13:43:43 Packet filter rule #8 TCP
    
    172.16.0.71 : 58323
    
    →
    
    192.168.250.4 : 22
    
    [SYN] len=64 ttl=63 tos=0x00 srcmac=xx:xx:xx:xx:bc:a0 dstmac=xx:xx:xx:xx:3b:31
    
    A packet capture from the internal interface shows traffic back and forth between the subnets. But at the point where I would enter in authentication and pass my client cert signed packets, it seems my local client sends a RST. Here is the interesting bit, the UTM sends the second response from the farside gateway IP address. Then my client sends the RST.
    
    One more interesting item - I can connect to the webserver on this device from the internal net, however only some of the static parts of the webpage appear. They appear fine when on the external (WAN) interface. Here is the screen cap- all the white space normally has a table under the columns and a map on the left.
    
    I added a route(static) to the external network, though I can't see that is needed nor did it make a difference. I can't see that I need a NAT or masquerade(and I have no Masquerade rules, but maybe that is an issue?
    
    Cheers,
    
    --david
  - 0 DavidLawson over 6 years ago in reply to DavidLawson
    
    And you may laugh at me, as I hit send, the web browser refreshed, and returned a "Connection Reset" in Chrome, then I clicked reload and this popped up:
    
    That is the way it should look, without the AJAX error.
    
    I am heading back to try to find more info.