Solved: accessing back-end servers via ssh

axfalk · ‎04-11-2011

We're running a redundant pair of ACE SM's in bridge mode and were requested by the customer to access the back-end servers via ssh. We currently allow only IP and ICMP in our access-list that we apply to the client side and server side interfaces. Can we just add SSH to the access-list or do we need to add TCP port 22?

thanks..

Greg

yushimaz · ‎04-12-2011

Can you ping from client to server?

If you can, please get 'show conn' as below when you access with icmp and ssh.

And also please let me know the configuration of client vlan and bvi interface on ACE?

## icmp

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

2293 1 in ICMP 781 192.168.82.162:57925 192.168.82.161:2048 --

2496 1 out ICMP 782 192.168.82.161:57925 192.168.82.162:0 --

total active connections : 2

## ssh

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

2548 1 in TCP 781 192.168.82.162:52187 192.168.82.161:22 ESTAB

2567 1 out TCP 782 192.168.82.161:22 192.168.82.162:52187 ESTAB

total active connections : 2

Regards,

Yuji

View solution in original post

yushimaz · ‎04-11-2011

If permit ip is configured as below and apply to both client and server,

you don't have to configure access-list for ssh.

access-list all line 8 extended permit ip any any

I confirmed the behavior with the following basic setup of bridge mode.

client --[vlan781] -- ACE4710 -- [vlan782] -- server

client: 192.168.82.161

server: 192.168.82.162

ACE4710a-yushimaz/c2# sh run

Generating configuration....

access-list all line 8 extended permit ip any any

access-group input all

interface vlan 781

bridge-group 1

no shutdown

interface vlan 782

bridge-group 1

no shutdown

interface bvi 1

ip address 192.168.82.160 255.255.255.0

no shutdown

## ssh from client to server

client:~# ssh -l root 192.168.82.161

root@192.168.82.161's password:

Linux avs3120b 2.6.26-2-686 #1 SMP Thu Nov 25 01:53:57 UTC 2010 i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Mon Apr 11 15:54:06 2011 from 192.168.82.162

server:~#

If you don't permit ip address for ssh client in 'permit ip' configuration, you have

to configure acl for ssh. You can use 'ssh' and '22' as below but port#22 will be

translated to ssh on show run.

ACE4710a-yushimaz/c2(config)# access-list ssh extended permit tcp any any eq ssh

ACE4710a-yushimaz/c2(config)# access-list ssh2 extended permit tcp any any eq 22

ACE4710a-yushimaz/c2(config)# do sh run | i ssh

Generating configuration....

access-list ssh line 8 extended permit tcp any any eq ssh

access-list ssh2 line 8 extended permit tcp any any eq ssh

ACE4710a-yushimaz/c2(config)#

Regards,

Yuji

axfalk · ‎04-12-2011

Thanks very much for your detail response. I have the following in my config:

access-list any line 8 extended permit icmp any any
access-list any line 16 extended permit ip any any

interface vlan 111
description server vlan
bridge-group 1
mac-sticky enable
no icmp-guard
access-group input bpdu
access-group input any
access-group output any
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown

however, I still can't access the servers via SSH.....I can do it from the ACE, but not from the upstream switch...Can you think of anything else that jumps at you?

Thanks agan..

_Greg

yushimaz · ‎04-12-2011

Can you ping from client to server?

If you can, please get 'show conn' as below when you access with icmp and ssh.

And also please let me know the configuration of client vlan and bvi interface on ACE?

## icmp

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

2293 1 in ICMP 781 192.168.82.162:57925 192.168.82.161:2048 --

2496 1 out ICMP 782 192.168.82.161:57925 192.168.82.162:0 --

total active connections : 2

## ssh

ACE4710a-yushimaz/c2(config-if)# do sh conn

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

2548 1 in TCP 781 192.168.82.162:52187 192.168.82.161:22 ESTAB

2567 1 out TCP 782 192.168.82.161:22 192.168.82.162:52187 ESTAB

total active connections : 2

Regards,

Yuji

axfalk · ‎04-12-2011

Thanks for your response. I just noticed I can SSH into some servers from the switch, but not to others. Yet, I can SSH into all of them from the ACE. This is my client side int and the bvi:

interface vlan 222
description vip vlan
bridge-group 1
mac-sticky enable
no icmp-guard
access-group input bpdu
access-group input any
access-group output any
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input V222-VIPS
no shutdown

interface bvi 1
ip address 192.168.92.197 255.255.255.192
alias 192.168.92.196 255.255.255.192
peer ip address 192.168.92.198 255.255.255.192
no shutdown

thanks again...

yushimaz · ‎04-12-2011

Does 'policy-map V222-VIPS' loadbalance ssh requests?

If your client uses both direct access to server and vip addcess,

some request may be dropped due to 'redundant connection' by

ocm.

(Since I don't have full configuration and don't know the detail of

connection table, I'm not sure. So, the following is just my guess.

I need 'show tech' to investigate more detail.)

client(192.168.92.201) -- ACE(vip:192.168.92.200) -- server(192.168.92.202)

If ip addresses are configured as above, ACE establishes connections as below.

(This time, source port uses 10000.)

# vip access

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

111111 1 in TCP 111 192.168.92.201:10000 192.168.92.100:22 ESTAB

111112 1 out TCP 222 192.168.92.202:22 192.168.92.201:10000 ESTAB

# direct access

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

111113 1 in TCP 111 192.168.92.201:10000 192.168.92.202:22 ESTAB

111114 1 out TCP 222 192.168.92.202:22 192.168.92.201:10000 ESTAB

Conn-id 111112 and 111114 are same.

If conn-id 111112 is existing, ACE cannot create conn-id 111114.

Then below counter will be incremented.

ACE/Admin# show np 1 me-stats -socm | i redundant

Drop [redundant connection]: 1 0

It apts to occur http request since many connections are established.

Hoever, I've never heard other protocol. So, my gues may be wrong.

Anyway, to trobleshoot more detail, I want show tech.

Regards,

Yuji

axfalk · ‎04-13-2011

Thanks again. If users are accessing the servers directly from the switch, will they have to traverse the ACE to bridge the server side and the client side vlans, or the ACE will be bypassed and the switch will bridge the vlans?

Thanks..

_Greg...

yushimaz · ‎04-14-2011

ACE will bridge the request and create the connection entry for this request.

Regards,

Yuji