SSH error when on VPN

I’m new to Sonicwall and I’m having trouble with a SSH. I’m trying to ssh from a laptop to a server when on the IPSec VPN and i get the following error on the SSH client:

kex_exchange_identification: read: Connection reset

I turned on SSH management on the VPN settings thinking this might be the issue. I monitored the packets and see a syn ack exchange but then packets are dropped with this error.

Application Header
SSH
Value:[1]
DROPPED, Drop Code: 737(Packet dropped - cache add cleanup drop the pkt), Module Id: 25(network), (Ref.Id: _2297_dbdifBeeDmfbovq) 2:2)

When I’m on the network directly, i don’t have a problem with SSH between these same two machines. I set up a firewall rules to allow all traffic between VPN and Lan in both directions. Didn’t seem to help. I’m out of ideas. any thoughts?

If you’re using the same user ID, the reset is because you can only be logged on as that user one time. You’d need to allow multiple simultaneous logins to prevent that.

Might the firewall be doing ssh dpi? Thus, presenting the Sonicwall cert/key?

Just curious. Can you see the port open when you use something like nmap on the VPN to the device I question?

Do you have ssh ipsubnet access rule on the ssh server? Please check ssh config file and fw rule on the ssh server

Thinking out loud. Cache add cleanup isn’t an action, it’s a response to an action already made. The connection was already closed, so the Sonicwall removed its records. One idea is to search the address of the target server in the logs and see if anything shows up. Second thought is a packet capture and see if the Sonicwall is even doing it. You didn’t say what OS the server is running, does the ssh server process have allow filter rules? What subnet did you put GVPN clients on? Personally I’d lean towards a packet capture to start.

I’m not sure I follow. I’m logging in with a local user account to the VPN on the sonicwall. This gets me an IP on the LAN, which I’m trying to use to log in via SSH to a server on the LAN. The firewall shouldn’t even see the user name being sent through SSH. Am I missing something?

No, dpi is turned off.

I’ve lost access to the VPN trying to troubleshoot this (oops), but i’ll check this when i get physical access to the ssh box next week.

Checked and there is no fw rule. thanks for the idea.

I’ve fairly certain the Sonicwall is doing it. When i was had the computers co-located on the same network, there was no problem connecting. The GVPN and the server are on the same subnet so I am not crossing vlans. The SSH is on Ubuntu 22.04 LTS. I’m connecting from a Win 11 laptop.

I can’t check the server to see if there are filter rules right now because i lost access to the VPN troubleshooting. I’ll check when i get physical access next week.

I checked the servers ssh logs and the connection is failing with the error: “fatal: Timeout before authentication for port

I tried doing a packet capture with the ssh server as the destination IP and the only packets i get are the ones from the original post. I’m not seeing any syn ack exchange or anything.

When you mentioned searching the address of the target server in the logs, i’m not sure how to do that. I’m new to Sonicwall so I apologize for the ignorance here.

What user ID are you using for the VPN and what ID for logging into the GUI? If it’s the same, the firewall will know what user is authenticating to both the VPN and to the GUI.

No problem, which model Sonicwall? I want to give you steps for the right version of SonicOS. If there’s a 7 in the model number (TZ370, NSa 2700 etc) it’ll have the version 7 interface. Also if I have time tomorrow at the office I can try the same thing you’re doing and see what happens.

The VPN and GUI are the same. The GUI doesn’t give me an option for a different ID. The ID is greyed out and I have to use the same username.

TZ270 is the model, with version 7. Thanks for the help

Sorry for the delay, got caught up in a migration emergency (a cable didn’t get plugged in by onsite staff, 3 hours away :-/ . In a Gen 7 interface you’ll want Monitor in the top tab, Logs, in the left sidebar, and System Logs. Just to the right of the word Filter in the right panel is the search box, enter your source or destination IP here. “Change the Show: Last 5 minutes” to cover the timeframe you need. I haven’t had a chance to try the ssh on any of my Gen 7 clients but might this weekend.