12-22-2023 12:16 AM - edited 12-22-2023 12:20 AM
Me and my coworker have been working on this problem all day. We have a firepower that is our internet connection and is connected to two internal switches. A cisco 2960LSM and a juniper 4200. There is a Juniper srx345 firewall connected to the juniper switch with a VPN. The firepower is acting as dhcp server. If I plug into the cisco switch, I cannot ssh to my VPN, but I can ping and traceroute. Both seem normal/good. if I plug into the juniper, I can. If add a static route on my desktop to go directly to the juniper instead of my default route (which is the cisco firepower), I can ssh. The Firepower seems to certainly be where the packet is dropped. Did some packet captures and it seems like once my side sends the SYN with a sequence number, the packets coming back are not using the proper sequence number. If I set the juniper to not care about sequence numbers, I still can't connect. The packets show my desktop side sending a reset every time because it's not seeing the syn,ack from the ssh server, which eventually times out. We ran packet-tracer and nothing is blocking ssh. It might be worth noting I have another VPN directly into the firepower that works fine. I'm hoping someone has experienced this and knows where to look.
12-22-2023 12:36 AM
Share packets tracer
MHM
12-22-2023 04:47 AM
if you conneced to cisco switch IP address same as Juniper switch ?
give some example - what is end device IP and what gateway you put that not working, what gateway you put that working ?
how is your FTD default route back internal side ?
provide some diagram with IP information for us to understand. ?
I cannot ssh to my VPN - is this internal one or external one ? how is the traffic flow to this device ?
12-22-2023 08:02 AM - edited 12-22-2023 08:03 AM
Thank you for responding. I was trying to be clear in my description, but it looks like I failed.
if you conneced to cisco switch IP address same as Juniper switch ? No, they each have their own uniqe IP address
give some example - what is end device IP and what gateway you put that not working, what gateway you put that working ?
I cannot ssh from any computer plugged into cisco switch but I can from any computer plugged into juniper switch all machine IPs are on the 10.10.259.0/24 network all machines have default gateway 10.10.249.1 (this is the firepower)
how is your FTD default route back internal side ? My default route on the ftd is to the internet, but I have defined a route to the VPN network on the ftd
provide some diagram with IP information for us to understand. ?
I cannot ssh to my VPN - is this internal one or external one ? how is the traffic flow to this device ? The internal one
I hope I answered the questions as needed, I don't think I always understood what you wanted
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide