This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to ssh to slave node

I have two UTM VMs running as a high-availability pair.  I need to check something on the slave/standby node, so I'm attempting to SSH to it by means of the ha_utils ssh command from the master/active node.  I'm SSH'd in to the master as root using an ssh key, but when I try to connect to the slave I get Permission Denied.

<M> astaro:/root # ha_daemon -c status
Current mode: HA MASTER with id 1 in state ACTIVE
-- Nodes -----------------------------------------------------------------------
MASTER: 1 esxi3 198.19.250.1 9.705003 ACTIVE since Mon May 10 10:26:56 2021
SLAVE: 2 esxi55 198.19.250.2 9.705003 ACTIVE since Mon May 10 10:31:57 2021
-- Load ------------------------------------------------------------------------
Node  1: [1m] 0.00  [5m] 0.01  [15m] 0.05
Node  2: [1m] 0.01  [5m] 0.02  [15m] 0.05
<M> astaro:/root # ha_utils ssh

Connecting to slave 198.19.250.2
loginuser@198.19.250.2's password:
Permission denied, please try again.
loginuser@198.19.250.2's password:

<M> astaro:/root #

I know I'm using the correct password for loginuser - I've even changed it via the web UI to be sure I wasn't misremembering, but to no avail.

Any thoughts or suggestions welcomed.  Thanks!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    If 'Block Password Guessing' is enabled under Definitions & Users > Authentication Services > Advanced, then the slave node might have temporarily blocked access from the master node's IP address due to failed login attempts.

    Could you please try again and share your observation?

  • Hi Yash, and thanks for responding.  Yes, I have blocking enabled, but I also have my workstation added to the "Never block networks:, so I doubt that is the problem.  I get the same result regardless of which node is currently active, by the way:

    <M> astaro:/root # ha_utils status
    - Status -----------------------------------------------------------------------
    Current mode: HA MASTER with id 2 in state ACTIVE
    -- Nodes -----------------------------------------------------------------------
    MASTER: 2 esxi55 198.19.250.2 9.705003 ACTIVE since Tue May 11 00:51:50 2021
    SLAVE: 1 esxi3 198.19.250.1 9.705003 ACTIVE since Tue May 11 00:56:50 2021
    -- Load ------------------------------------------------------------------------
    Node  2: [1m] 0.15  [5m] 0.07  [15m] 0.06
    Node  1: [1m] 0.00  [5m] 0.02  [15m] 0.05
    
    - Kernel -----------------------------------------------------------------------
    Current mode: enabled master
    interface: eth3
    Local ID: 198.19.250.2
    debug: off
    verbose: off
    ppp sync: off
    port smtp: 25
    port pop3: 8110
    port ftp: 2121
    
    - IPSec ------------------------------------------------------------------------
    000 HA System active on eth3/224.0.0.82. Current mode is Master. Seqdiff in: 256 Seqdiff out: 4096
    
    - PostgreSQL ------------------------------------------------------------------------
     primary | standby |     lag      |  bytelag
    ---------+---------+--------------+----------
           2 |       1 | 00:00:00.993 |        0
    <M> astaro:/root # ha_utils ssh
    
    Connecting to slave 198.19.250.1
    loginuser@198.19.250.1's password:
    Permission denied, please try again.
    loginuser@198.19.250.1's password:
    

  • Hi  .

    One thing. I doubt that putting your workstation to the "Never block networks" list would help. You could put in the network of the HA connection, because with ha_utils your connection should normally occur using the HA port, as far as I know.

    You could give this a try.

    But be careful as the HA IP is a public IP you should not use this generally.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
Reply
  • Hi  .

    One thing. I doubt that putting your workstation to the "Never block networks" list would help. You could put in the network of the HA connection, because with ha_utils your connection should normally occur using the HA port, as far as I know.

    You could give this a try.

    But be careful as the HA IP is a public IP you should not use this generally.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
Children
No Data