11-04-2016 06:29 AM - edited 02-21-2020 09:02 PM
Hello,
We have a local Ubuntu server in our department (named C1). We SSH to C1 for running computations. In order for C1 to run a program it should obtain a license from an outside license server (C2). To reach to C2 we have to VPN using AnyConnect to the network of C2. When anyConnect is disconnected on C1 we can ssh to it with no problem. However when it is on VPN we can't. We used both C1's original IP address and its address after connected to VPN for sshing. Note that after VPN, C1 obtains the license from C2 and runs the program locally. The problem is SSHing only. We checked C2 (while at C2) and port 22 is open and listening. Yet no client on our network can reach it.
Any helps and ideas are greatly appreciated.
LinuxUser
11-04-2016 06:40 AM
I would assume that the Operator of the VPN gateway uses the default-option "tunnel everything" which means that all traffic of C1 goes to the tunnel. That makes every other connection fail. Ask the operator of the C2-VPN gateway to configure split-tunneling.
11-04-2016 06:51 AM
Thanks Karsten. I will ask them and come back with a report.
I should correct the sentence before last of my original post. It should read:
"We checked C1 (while at C1) and port 22 is open and listening."
and it was while on VPN. I have no admin access to C2 or its network.
12-09-2016 11:02 AM
It is sad that I am still struggling with this.
I really appreciate any help or ideas.
11-04-2016 06:59 AM
Is it possible to configure two separate gateways on C1 so that incoming SSHs don't tunnel to the C2 gateway? If I understand your comments correctly SSH fails because the other clients belong to another domain since they are not connected to the C2-network through VPN. Am I right?
11-04-2016 07:05 AM
C1 will likely accept the SSH-connection. But the answer-packets are sent through the VPN and will never reach your SSH-client. This is a routing issue that is configured on request of the VPN-gateway. It could also be solved by changing the local C1 routing table after the VPN is established. Just observe the routing-table with and without VPN.
11-04-2016 09:17 AM
C2 network has two options for VPNing through AnnyConnect:
"Default XXXX split-tunnel" and "Full Traffic non-split-tunnel".
The behaviour we have seen was using the split-tunnel option. I see with "route" that the routing tables are different when not on VPN, Full-tunneling VPN and split-tunnel VPN.
What I get on a client when ssh to C1 is this:
ssh: connect to host 123.45.67.89 port 22: Connection refused
Any more thoughts?
11-07-2016 08:56 AM
Karsten and other experts,
I appreciate any other suggestions on this.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide