Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2471
Views
0
Helpful
7
Replies

ssh to a server connected to another server using AnyConnect

theLinuxUser
Level 1
Level 1

‎11-04-2016 06:29 AM - edited ‎02-21-2020 09:02 PM

Hello,

We have a local Ubuntu server in our department (named C1). We SSH to C1 for running computations. In order for C1 to run a program it should obtain a license from an outside license server (C2). To reach to C2 we have to VPN using AnyConnect to the network of C2. When anyConnect is disconnected on C1 we can ssh to it with no problem. However when it is on VPN we can't. We used both C1's original IP address and its address after connected to VPN for sshing. Note that after VPN, C1 obtains the license from C2 and runs the program locally. The problem is SSHing only. We checked C2 (while at C2) and port 22 is open and listening. Yet no client on our network can reach it.

Any helps and ideas are greatly appreciated.

LinuxUser

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎11-04-2016 06:40 AM

I would assume that the Operator of the VPN gateway uses the default-option "tunnel everything" which means that all traffic of C1 goes to the tunnel. That makes every other connection fail. Ask the operator of the C2-VPN gateway to configure split-tunneling. 

0 Helpful

theLinuxUser
Level 1
Level 1
In response to Karsten Iwen

‎11-04-2016 06:51 AM

Thanks Karsten. I will ask them and come back with a report.

I should correct the sentence before last of my original post. It should read:

"We checked C1 (while at C1) and port 22 is open and listening."

and it was while on VPN. I have no admin access to C2 or its network. 

0 Helpful

theLinuxUser
Level 1
Level 1
In response to theLinuxUser

‎12-09-2016 11:02 AM

It is sad that I am still struggling with this.

I really appreciate any help or ideas.

0 Helpful

theLinuxUser
Level 1
Level 1
In response to Karsten Iwen

‎11-04-2016 06:59 AM

Is it possible to configure two separate gateways on C1 so that incoming SSHs don't tunnel to the C2 gateway? If I understand your comments correctly SSH fails because the other clients belong to another domain since they are not connected to the C2-network through VPN. Am I right?  

0 Helpful

Karsten Iwen
VIP
VIP
In response to theLinuxUser

‎11-04-2016 07:05 AM

C1 will likely accept the SSH-connection. But the answer-packets are sent through the VPN and will never reach your SSH-client. This is a routing issue that is configured on request of the VPN-gateway. It could also be solved by changing the local C1 routing table after the VPN is established. Just observe the routing-table with and without VPN.

0 Helpful

theLinuxUser
Level 1
Level 1
In response to Karsten Iwen

‎11-04-2016 09:17 AM

C2 network has two options for VPNing through AnnyConnect:

"Default XXXX split-tunnel" and "Full Traffic non-split-tunnel".

The behaviour we have seen was using the split-tunnel option. I see with "route" that the routing tables are different when not on VPN, Full-tunneling VPN and split-tunnel VPN.

What I get on a client when ssh to C1 is this:

ssh: connect to host 123.45.67.89 port 22: Connection refused

Any more thoughts?

0 Helpful

theLinuxUser
Level 1
Level 1
In response to theLinuxUser

‎11-07-2016 08:56 AM

Karsten and other experts,

I appreciate any other suggestions on this.

Thanks

0 Helpful
Customers Also Viewed These Support Documents