ssh_exchange_identification: read: Connection reset by peer

Hi David and welcome to the UTM Community!

You've already started on #1 in Rulz (last updated 2019-04-17), but you should still look at the Intrusion Prevention log - anything interesting there?

Cheers - Bob

only one file in IPS logs since last June.  it was March 9th. 78K gz file and uncompresses to a zero byte file.

All other logs files in IPS show as zero bytes.

I'll add that I am not convinced that is 100% correct, I had a license that had greater functionality, and when I renewed it the new license file only permits certain functions. IPS is disabled in the config screen with a warning message, but I still see my edited IDS rules behind it.

Also- further checking: nothing in the external host in hosts.deny or host.allow. Thought that perhaps my ip was OK but if natted behind the UTM, maybe the UTM had been denied.

I did a verbose connection and it talks IP between the two, but when the ssh agreement should occur, it drop the connection.

Where else would you suggest I look for evidence, (and TIA- I downloaded a copy of the RULZ to follow.

Thank you Bob.

This sounds like a DNS or routing issue, David.  Is your internal client's IP masqueraded to the external device?  Do you have split DNS?

Cheers - Bob

This sounds like a DNS or routing issue, David.  Is your internal client's IP masqueraded to the external device?  Do you have split DNS?

Cheers - Bob

Hi Bob, and Thank you. 

I am connecting via IP - so I think DNS is not an issue.   I have been poring through the logs, and can't find anything more than an accept on Port 22.  

2019:04:26-13:21:19 utmgw ulogd[4722]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="8" initf="eth1" outitf="eth0" srcmac="6c:40:08:b7:bc:a0" dstmac="00:26:55:d2:3b:31" srcip="172.16.0.71" dstip="192.168.250.4" proto="6" length="64" tos="0x00" prec="0x00" ttl="63" srcport="53670" dstport="22" tcpflags="SYN" 

2019:04:26-13:23:28 utmgw ulogd[4722]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="10" initf="eth1" outitf="eth0" srcmac="6c:40:08:b7:bc:a0" dstmac="00:26:55:d2:3b:31" srcip="172.16.0.71" dstip="192.168.250.4" proto="1" length="84" tos="0x00" prec="0x00" ttl="63" type="8" code="0" 

13:43:43

Packet filter rule #8

TCP

172.16.0.71 : 58323

→

192.168.250.4 : 22

[SYN] len=64 ttl=63 tos=0x00 srcmac=xx:xx:xx:xx:bc:a0 dstmac=xx:xx:xx:xx:3b:31

 

A packet capture from the internal interface shows traffic back and forth between the subnets.  But at the point where I would enter in authentication and pass my client cert signed packets, it seems my local client sends a RST. Here is the interesting bit, the UTM sends the second response from the farside gateway IP address.  Then my client sends the RST.

 

One more interesting item - I can connect to the webserver on this device from the internal net, however only some of the static parts of the webpage appear. They appear fine when on the external (WAN) interface. Here is the screen cap- all the white space normally has a table under the columns and a map on the left.

I added a route(static) to the external network, though I can't see that is needed nor did it make a difference.  I can't see that I need a NAT or masquerade(and I have no Masquerade  rules, but maybe that is an issue?

Cheers,

--david

And you may laugh at me, as I hit send, the web browser refreshed, and returned a "Connection Reset" in Chrome, then I clicked reload and this popped up:

That is the way it should look, without the AJAX error.

I am heading back to try to find more info.