I’m new to Sonicwall and I’m having trouble with a SSH. I’m trying to ssh from a laptop to a server when on the IPSec VPN and i get the following error on the SSH client:
I turned on SSH management on the VPN settings thinking this might be the issue. I monitored the packets and see a syn ack exchange but then packets are dropped with this error.
Application Header
SSH
Value:[1]
DROPPED, Drop Code: 737(Packet dropped - cache add cleanup drop the pkt), Module Id: 25(network), (Ref.Id: _2297_dbdifBeeDmfbovq) 2:2)
When I’m on the network directly, i don’t have a problem with SSH between these same two machines. I set up a firewall rules to allow all traffic between VPN and Lan in both directions. Didn’t seem to help. I’m out of ideas. any thoughts?
If you’re using the same user ID, the reset is because you can only be logged on as that user one time. You’d need to allow multiple simultaneous logins to prevent that.
Thinking out loud. Cache add cleanup isn’t an action, it’s a response to an action already made. The connection was already closed, so the Sonicwall removed its records. One idea is to search the address of the target server in the logs and see if anything shows up. Second thought is a packet capture and see if the Sonicwall is even doing it. You didn’t say what OS the server is running, does the ssh server process have allow filter rules? What subnet did you put GVPN clients on? Personally I’d lean towards a packet capture to start.
I’m not sure I follow. I’m logging in with a local user account to the VPN on the sonicwall. This gets me an IP on the LAN, which I’m trying to use to log in via SSH to a server on the LAN. The firewall shouldn’t even see the user name being sent through SSH. Am I missing something?
I’ve fairly certain the Sonicwall is doing it. When i was had the computers co-located on the same network, there was no problem connecting. The GVPN and the server are on the same subnet so I am not crossing vlans. The SSH is on Ubuntu 22.04 LTS. I’m connecting from a Win 11 laptop.
I can’t check the server to see if there are filter rules right now because i lost access to the VPN troubleshooting. I’ll check when i get physical access next week.
I checked the servers ssh logs and the connection is failing with the error: “fatal: Timeout before authentication for port ”
I tried doing a packet capture with the ssh server as the destination IP and the only packets i get are the ones from the original post. I’m not seeing any syn ack exchange or anything.
When you mentioned searching the address of the target server in the logs, i’m not sure how to do that. I’m new to Sonicwall so I apologize for the ignorance here.
What user ID are you using for the VPN and what ID for logging into the GUI? If it’s the same, the firewall will know what user is authenticating to both the VPN and to the GUI.
No problem, which model Sonicwall? I want to give you steps for the right version of SonicOS. If there’s a 7 in the model number (TZ370, NSa 2700 etc) it’ll have the version 7 interface. Also if I have time tomorrow at the office I can try the same thing you’re doing and see what happens.
Sorry for the delay, got caught up in a migration emergency (a cable didn’t get plugged in by onsite staff, 3 hours away :-/ . In a Gen 7 interface you’ll want Monitor in the top tab, Logs, in the left sidebar, and System Logs. Just to the right of the word Filter in the right panel is the search box, enter your source or destination IP here. “Change the Show: Last 5 minutes” to cover the timeframe you need. I haven’t had a chance to try the ssh on any of my Gen 7 clients but might this weekend.