1 2 Previous Next 11 Replies Latest reply: Sep 5, 2013 11:22 AM by sliedl RSS

    SSH connection refused to NODE01 in cluster config

    krzysztof.anzorge

      Hi,

       

      I have Active/Passive cluster of MFE 8.3.1 virtual frewalls.

      cluster IP is 10.0.0.50
      NODE01 IP is 10.0.0.111
      NODE02 IP is 10.0.0.222

       

      I can connect through Admin Console (port 9003) to cluster IP.
      Connection is redirect to active NODE (by ARP) and everything working OK even if cluster do failover.

       

       

      Problem:
      When NODE01 act as PRIMARY, I have a problem with SSH connection to NODE01 on cluster IP (10.0.0.50).
      When NODE02 act as PRIMARY, I can connect to SSH on cluster IP (10.0.0.50) without any problem.


      When NODE01 act as PRIMARY, SSH connection to IP 10.0.0.50, I have error in audit log:
      ============================
      2013-08-29 14:54:49 -0400 f_kernel a_nil_area t_netprobe p_minor
      hostname: NODE01.mcafee.lab event: TCP netprobe srcip: 10.0.0.150
      srcport: 2109 srczone: internal dstip: 10.0.0.50 dstport: 22 protocol: 6
      interface: em1
      reason: Received a TCP connection attempt destined for a service that the current policy does not support.
      ============================

       


      When NODE02 act as PRIMARY, SSH connection to IP 10.0.0.50 working OK with audit log:
      ============================
      2013-08-29 15:03:17 -0400 f_ssh_server a_server t_auth_attempt p_major
      pid: 1416 logid: 0 cmd: 'sshd' hostname: NODE02.mcafee.lab
      event: auth allow user_name: admin auth_method: Password
      reason: Authentication succeeded.
      ============================

       

       

      I have enabled standard (default) SSH policy rule on both firewall nodes:
      =====================================
      policy add table=rule name='Secure Shell Server' rulegroup=Administration \
          pos=5 action=allow appdefense=defaultgroup:defaultgroup \
          application='custom:SSH Server' audit=standard \
          authenticator=authenticator:Password authgroups='*' dest=all:v4 \
          dest_zones=zone:internal disable=no exclude_capability='' ipsresponse='' \
          nat_addr='' nat_mode=none redir='' redir_port='' sign_category_grp='' \
          source=all:v4 source_zones=zone:internal ssl_ports='' tcp_ports='' \
          timeperiod='*' ts_enable=no ts_reputation=medium_unverified_threshold \
          udp_ports='' description='Allow SSH server access from the internal zone' \
          last_changed_by='admin on Thu Aug 29 12:37:02 2013'
      ======================================

       

       

      Question:
      Why I can't log by SSH to NODE01 on cluster IP?

       

       

      Best regards
      Krzysztof Anzorge

        • 1. Re: SSH connection refused to NODE01 in cluster config
          vetterous

          Do you have 10.0.0.50 within /etc/ssh/sshd_config as a listen address?

          • 2. Re: SSH connection refused to NODE01 in cluster config
            krzysztof.anzorge

            Hi,

             

            On NODE01 I have /etc/ssh/sshd_config like follow:

            ==============================================

            #       $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

            # This is the sshd server system-wide configuration file.  See
            # sshd_config(5) for more information.

            # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

            # The strategy used for options in the default sshd_config shipped with
            # OpenSSH is to specify options with their default value where
            # possible, but leave them commented.  Uncommented options override the
            # default value.

            ## NOTE: The Port option is configured through the "cf application"
            ## area.  Do NOT edit the value in this configuration file.
            #Port 22
            #AddressFamily any

            Protocol 2

            # HostKey for protocol version 1
            HostKey /etc/ssh/ssh_host_key
            # HostKeys for protocol version 2
            HostKey /etc/ssh/ssh_host_rsa_key
            HostKey /etc/ssh/ssh_host_dsa_key
            HostKey /etc/ssh/ssh_host_ecdsa_key

            # Lifetime and size of ephemeral version 1 server key
            #KeyRegenerationInterval 1h
            #ServerKeyBits 1024

            # Logging
            # obsoletes QuietMode and FascistLogging
            #SyslogFacility AUTH
            #LogLevel INFO

            # Authentication:

            #LoginGraceTime 2m
            LoginGraceTime 10m
            #PermitRootLogin yes
            #StrictModes yes
            #MaxAuthTries 6
            #MaxSessions 10

            RSAAuthentication yes
            PubkeyAuthentication yes

            #AuthorizedKeysFile     .ssh/authorized_keys

            # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
            #RhostsRSAAuthentication no
            # similar for protocol version 2
            #HostbasedAuthentication no
            # Change to yes if you don't trust ~/.ssh/known_hosts for
            # RhostsRSAAuthentication and HostbasedAuthentication
            #IgnoreUserKnownHosts no
            # Don't read the user's ~/.rhosts and ~/.shosts files
            #IgnoreRhosts yes

            # To disable tunneled clear text passwords, change to no here!
            #PasswordAuthentication yes
            ## NOTE: Configuration of the PermitEmptyPasswords option is not
            ## supported on the firewall.  The behavior is equivalent to "no".
            #PermitEmptyPasswords no

            # Change to no to disable s/key passwords
            #ChallengeResponseAuthentication yes

            # Kerberos options
            #KerberosAuthentication no
            #KerberosOrLocalPasswd yes
            #KerberosTicketCleanup yes
            #KerberosGetAFSToken no

            # GSSAPI options
            #GSSAPIAuthentication no
            #GSSAPICleanupCredentials yes

            # Set this to 'yes' to enable PAM authentication, account processing,
            # and session processing. If this is enabled, PAM authentication will
            # be allowed through the ChallengeResponseAuthentication and
            # PasswordAuthentication.  Depending on your PAM configuration,
            # PAM authentication via ChallengeResponseAuthentication may bypass
            # the setting of "PermitRootLogin without-password".
            # If you just want the PAM account and session checks to run without
            # PAM authentication, then enable this but set PasswordAuthentication
            # and ChallengeResponseAuthentication to 'no'.
            #UsePAM no

            ## NOTE: Configuration of the AllowAgentForwarding option is not
            ## supported on the firewall.  The behavior is equivalent to "no".
            #AllowAgentForwarding yes
            AllowAgentForwarding no
            #AllowTcpForwarding yes
            #GatewayPorts no
            #X11Forwarding no
            #X11DisplayOffset 10
            #X11UseLocalhost yes
            #PrintMotd yes
            #PrintLastLog yes
            #TCPKeepAlive yes
            ## NOTE: Configuration of the UseLogin option is not supported on the
            ## firewall.  The behavior is equivalent to "no".
            #UseLogin no
            ## NOTE: Configuration of the UsePrivilegeSeparation option is not
            ## supported on the firewall.  The behavior is equivalent to "yes".
            #UsePrivilegeSeparation yes
            #PermitUserEnvironment no
            #Compression delayed
            #ClientAliveInterval 0
            #ClientAliveCountMax 3
            ## NOTE: UseDNS yes can cause multi-second hangs when connecting
            ## if there is a DNS problem or the client host has no reverse DNS.
            #UseDNS yes
            UseDNS no
            ## NOTE: Configuration of the PidFile option is not supported on the
            ## firewall.  The behavior is equivalent to
            ## /var/run/sshd/sshd.pid.<zone>.
            #PidFile /var/run/sshd.pid
            #MaxStartups 10
            #PermitTunnel no
            #ChrootDirectory none

            # no default banner path
            #Banner none

            # override default of no subsystems
            Subsystem       sftp    /usr/libexec/sftp-server

            # Example of overriding settings on a per-user basis

            #Match User anoncvs

            #       X11Forwarding no

            #       AllowTcpForwarding no

            #       ForceCommand cvs server

            ## NOTE: the mfe_zone_info entries are maintained by the

            ## swede configuration.  Modification to SSH server ports

            ## should be made via policy and not hand-edited here.

            mfe_zone_info 3 inet 22

            mfe_zone_info 2 inet 22

            #ListenAddress 0.0.0.0:0

            #ListenAddress [::]:0

            ======================================================

             

             

            On NODE02 I have /etc/ssh/sshd_config like follow:

            ============================================

            #       $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

            # This is the sshd server system-wide configuration file.  See
            # sshd_config(5) for more information.

            # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

            # The strategy used for options in the default sshd_config shipped with
            # OpenSSH is to specify options with their default value where
            # possible, but leave them commented.  Uncommented options override the
            # default value.

            ## NOTE: The Port option is configured through the "cf application"
            ## area.  Do NOT edit the value in this configuration file.
            #Port 22
            #AddressFamily any

            Protocol 2

            # HostKey for protocol version 1
            HostKey /etc/ssh/ssh_host_key
            # HostKeys for protocol version 2
            HostKey /etc/ssh/ssh_host_rsa_key
            HostKey /etc/ssh/ssh_host_dsa_key
            HostKey /etc/ssh/ssh_host_ecdsa_key

            # Lifetime and size of ephemeral version 1 server key
            #KeyRegenerationInterval 1h
            #ServerKeyBits 1024

            # Logging
            # obsoletes QuietMode and FascistLogging
            #SyslogFacility AUTH
            #LogLevel INFO

            # Authentication:

            #LoginGraceTime 2m
            LoginGraceTime 10m
            #PermitRootLogin yes
            #StrictModes yes
            #MaxAuthTries 6
            #MaxSessions 10

            RSAAuthentication yes
            PubkeyAuthentication yes

            #AuthorizedKeysFile     .ssh/authorized_keys

            # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
            #RhostsRSAAuthentication no
            # similar for protocol version 2
            #HostbasedAuthentication no
            # Change to yes if you don't trust ~/.ssh/known_hosts for
            # RhostsRSAAuthentication and HostbasedAuthentication
            #IgnoreUserKnownHosts no
            # Don't read the user's ~/.rhosts and ~/.shosts files
            #IgnoreRhosts yes

            # To disable tunneled clear text passwords, change to no here!
            #PasswordAuthentication yes
            ## NOTE: Configuration of the PermitEmptyPasswords option is not
            ## supported on the firewall.  The behavior is equivalent to "no".
            #PermitEmptyPasswords no

            # Change to no to disable s/key passwords
            #ChallengeResponseAuthentication yes

            # Kerberos options
            #KerberosAuthentication no
            #KerberosOrLocalPasswd yes
            #KerberosTicketCleanup yes
            #KerberosGetAFSToken no

            # GSSAPI options
            #GSSAPIAuthentication no
            #GSSAPICleanupCredentials yes

            # Set this to 'yes' to enable PAM authentication, account processing,
            # and session processing. If this is enabled, PAM authentication will
            # be allowed through the ChallengeResponseAuthentication and
            # PasswordAuthentication.  Depending on your PAM configuration,
            # PAM authentication via ChallengeResponseAuthentication may bypass
            # the setting of "PermitRootLogin without-password".
            # If you just want the PAM account and session checks to run without
            # PAM authentication, then enable this but set PasswordAuthentication
            # and ChallengeResponseAuthentication to 'no'.
            #UsePAM no

            ## NOTE: Configuration of the AllowAgentForwarding option is not
            ## supported on the firewall.  The behavior is equivalent to "no".
            #AllowAgentForwarding yes
            AllowAgentForwarding no
            #AllowTcpForwarding yes
            #GatewayPorts no
            #X11Forwarding no
            #X11DisplayOffset 10
            #X11UseLocalhost yes
            #PrintMotd yes
            #PrintLastLog yes
            #TCPKeepAlive yes
            ## NOTE: Configuration of the UseLogin option is not supported on the
            ## firewall.  The behavior is equivalent to "no".
            #UseLogin no
            ## NOTE: Configuration of the UsePrivilegeSeparation option is not
            ## supported on the firewall.  The behavior is equivalent to "yes".
            #UsePrivilegeSeparation yes
            #PermitUserEnvironment no
            #Compression delayed
            #ClientAliveInterval 0
            #ClientAliveCountMax 3
            ## NOTE: UseDNS yes can cause multi-second hangs when connecting
            ## if there is a DNS problem or the client host has no reverse DNS.
            #UseDNS yes
            UseDNS no
            ## NOTE: Configuration of the PidFile option is not supported on the
            ## firewall.  The behavior is equivalent to
            ## /var/run/sshd/sshd.pid.<zone>.
            #PidFile /var/run/sshd.pid
            #MaxStartups 10
            #PermitTunnel no
            #ChrootDirectory none

            # no default banner path
            #Banner none

            # override default of no subsystems
            Subsystem       sftp    /usr/libexec/sftp-server

            # Example of overriding settings on a per-user basis
            #Match User anoncvs
            #       X11Forwarding no
            #       AllowTcpForwarding no
            #       ForceCommand cvs server
            ## NOTE: the mfe_zone_info entries are maintained by the
            ## swede configuration.  Modification to SSH server ports
            ## should be made via policy and not hand-edited here.
            mfe_zone_info 3 inet 22
            mfe_zone_info 2 inet 22
            #ListenAddress 0.0.0.0:0
            #ListenAddress [::]:0

            =====================================

             

             

            I think, that both are the same, but I can log to NODE02 on cluster address 10.0.0.50, but when NODE01 is a PRIMARY, this is impossible.

             

            Any ideas?

             

            KA

            • 3. Re: SSH connection refused to NODE01 in cluster config
              sliedl

              If you have an active-standby cluster are you turning OFF Node2 when you try to login to Node1?


              What might be happening is that you think Node1 is the primary but it has not fully 'taken over' as primary.  This could happen if the firewall has an interface unplugged that is configured for 'Link Monitoring'.  The link is down so the firewall does not take over.

               

              When Node1 is primary (and Node2 is off) run these commands to see if there is anything listening on port 22:

              $> sockstat -4lp 22

              $> lsof -nPi :22

               

              When Node1 is Primary, what does 'cf clus stat' say and what does 'cf clus fail' report back on the screen?

               

              If none of those things work you should open a Support ticket as there could be a myriad of things going on here.  It 'seems' simple enough, as this is a netprobe, which means you do not have a rule configured on that port (but you DO).  This means to me that either the policy is incorrect on one firewall or that the SSH server is not starting on Node1 for whatever reason.

              • 4. Re: SSH connection refused to NODE01 in cluster config
                krzysztof.anzorge

                Hi sliedl,

                 

                Below answers.

                 

                When NODE01 is Primary and NODE02 i OFF, I can't connect to SSH on cluster IP (10.0.0.50), but I can still connect to NODE01 primary IP (10.0.0.111).

                Commands below:

                =====================================================================

                NODE01:Admn {1} % sockstat -4lp 22

                USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS

                root     sshd       1281  4  tcp4   10.2.0.101:22         *:*

                root     sshd       1280  4  tcp4   10.0.0.111:22         *:*

                 

                NODE01:Admn {3} % lsof -nPi :22

                COMMAND  PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME

                sshd    1280  root    4u  IPv4 0xffffff001db6e000      0t0  TCP 10.0.0.111:22 (LISTEN)

                sshd    1281  root    4u  IPv4 0xffffff001da80ae0      0t0  TCP 10.2.0.101:22 (LISTEN)

                sshd    1350  root    5u  IPv4 0xffffff001de39740      0t0  TCP 10.0.0.111:22->10.0.0.150:2564 (ESTABLISHED)

                sshd    1353 admin    5u  IPv4 0xffffff001de39740      0t0  TCP 10.0.0.111:22->10.0.0.150:2564 (ESTABLISHED)

                 

                NODE01:Admn {4} % cf clus stat

                                        HA Cluster Status Information
                                        =============================

                Primary Host:        NODE01.mcafee.lab
                Primary IP Address:  10.1.0.111
                Cluster Zone:        HB
                Cluster Cert:        Default_Enterprise_Certificate
                Cluster CA:          Default_Enterprise_CA

                Member Name          State         IP Address
                -------------------- ------------- ---------------
                NODE01.mcafee.lab    registered    10.1.0.111
                NODE02.mcafee.lab    registered    10.1.0.222


                                      Policy and Peer Connection Status
                                      =================================

                NODE01.mcafee.lab (primary)
                -----------------------------
                    Connection State  :  Localhost
                    Policy Version    :  235-1377798875.47-1377812565
                    FW Version        :  8.3.1
                    Status            :  Up to date - Current

                NODE02.mcafee.lab (peer)
                -----------------------------
                    Connection State  :  Not Connected
                    Last Dispatch     :  2013-08-29 17:43:47.074297
                    Policy Version    :  235-1377798875.47-1377812565
                    FW Version        :  8.3.1
                    Status            :  Lost Connection

                NODE01:Admn {5} % cf clus fail
                This system is operating as primary.

                Zone 4 is the heartbeat zone

                The following cluster addresses are assigned:
                              HB  10.1.0.50
                internal_network  10.0.0.50
                external_network  192.168.200.230
                            MGMT  10.2.0.50

                This system is configured as the primary for firewall ID 50.

                Failover interface status:
                internal_network  up
                external_network  up
                            MGMT  up

                IP Filter tracking state as primary

                Active firewall list:

                A backup heartbeat interface is not configured


                Statistics for failover

                Failover running since Thu Aug 29 17:42:45 2013

                Failover allowing 3 seconds for interface swap (default)

                Number of advertisements sent                    = 474
                Number of received advertisements                = 0
                Number of rcvd advertisements since primary chgd = 0
                Number of times this system has become primary   = 1
                Number of release messages received              = 0
                Number of release messages sent                  = 0
                Number of failed takeover attempts               = 0
                Number of possible duplicate primary messages    = 0
                Number of heartbeat ack messages received        = 172
                Number of heartbeat ack messages sent            = 0
                Number of messages received with errors          = 0
                Number of same priority advertisements rcvd      = 0

                =======================================================

                 

                Any ideas?

                 

                KA

                • 5. Re: SSH connection refused to NODE01 in cluster config
                  sliedl

                  Run an audit and restart the SSH Server on node1 and then look at the audit to see if it fails to start for some reason (it's obviously not listening on port 22 on that IP):

                  $> acat -kb > audit.raw&

                  -- The & puts the command into the background

                  $> cf daemond restart agent=ssh_server

                  $> fg

                  -- Now hit CTRL+C to stop the audit.raw file

                  -- Look at the audit file:

                  $> acat audit.raw | less

                   

                  Also look at the /var/log/daemond.log file to see if the SSH server fails to start for some reason.

                   

                  Can you please paste the output of 'cf int q' from node1 and also 'ifconfig -a'?

                  • 6. Re: SSH connection refused to NODE01 in cluster config
                    krzysztof.anzorge

                    Please see below output from NODE02 as primary:

                     

                    NODE02:Admn {1} % sockstat -4lp 22

                    USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS

                    root     sshd       1345  4  tcp4   10.2.0.102:22         *:*

                    root     sshd       1345  5  tcp4   10.2.0.50:22          *:*

                    root     sshd       1344  4  tcp4   10.0.0.222:22         *:*

                    root     sshd       1344  5  tcp4   10.0.0.50:22          *:*

                    NODE02:Admn {2}

                     

                     

                    KA

                    • 7. Re: SSH connection refused to NODE01 in cluster config
                      krzysztof.anzorge

                      commands below:

                       

                      NODE01:Admn {1} % acat -kb > audit.raw&
                      [1] 1366
                      NODE01:Admn {2} % cf daemond restart agent=ssh_server
                      NODE01:Admn {3} % fg
                      acat -kb > audit.raw
                      ^C
                      NODE01:Admn {4} % acat audit.raw | less

                      2013-08-29 18:07:49 -0400 f_system a_hmon t_lcm p_minor
                      pid: 1276 logid: 0 cmd: 'monitord' hostname: NODE01.mcafee.lab mbuf_data: 8
                      cpu_data: 12 real_data: 80 load_data: 0 virt_data: 55 ipkt: 382 opkt: 260
                      ibytes: 56172 obytes: 40365

                      2013-08-29 18:07:49 -0400 f_system a_hmon t_geninfo p_major
                      pid: 1276 logid: 0 cmd: 'monitord' hostname: NODE01.mcafee.lab
                      information: Health Monitor data follows

                      uptime_util:     2 mins
                      load_avg:        0.92
                      mem_percent:     17.96
                      cpu_percent:     13
                      tcp_count:       5
                      udp_count:       1
                      proxy_info:      rtsyncd                1
                      proxy_info:      sfifpserver            14
                      proxy_info:      scobrap                2
                      proxy_info:      dnsp                   2
                      proxy_info:      ikmpd                  2
                      proxy_info:      AdminConsole           1
                      proxy_info:      sshd                   2
                      :

                      2013-08-29 18:07:49 -0400 f_system a_hmon t_lcm p_minor
                      pid: 1276 logid: 0 cmd: 'monitord' hostname: NODE01.mcafee.lab mbuf_data: 8
                      cpu_data: 12 real_data: 80 load_data: 0 virt_data: 55 ipkt: 382 opkt: 260
                      ibytes: 56172 obytes: 40365

                      2013-08-29 18:07:49 -0400 f_system a_hmon t_geninfo p_major
                      pid: 1276 logid: 0 cmd: 'monitord' hostname: NODE01.mcafee.lab
                      information: Health Monitor data follows

                      uptime_util:     2 mins
                      load_avg:        0.92
                      mem_percent:     17.96
                      cpu_percent:     13
                      tcp_count:       5
                      udp_count:       1
                      proxy_info:      rtsyncd                1
                      proxy_info:      sfifpserver            14
                      proxy_info:      scobrap                2
                      proxy_info:      dnsp                   2
                      proxy_info:      ikmpd                  2
                      proxy_info:      AdminConsole           1
                      proxy_info:      sshd                   2
                      tcp_data:        ESTABLISHED    5
                      tcp_data:        TIME_WAIT      0
                      tcp_data:        FIN_WAIT_1     0
                      tcp_data:        FIN_WAIT_2     0
                      tcp_data:        CLOSE_WAIT     0
                      ipf_data:        TCP Total              1
                      ipf_data:        UDP Total              3
                      ipf_total:       4


                      2013-08-29 18:07:49 -0400 f_ent_relay_daemon a_server t_important p_major
                      pid: 1282 logid: 0 cmd: 'entrelayd' hostname: NODE01.mcafee.lab
                      information: outgoing service policy allowed. ROLE=1 MASK=3

                      2013-08-29 18:07:49 -0400 f_ent_relay_daemon a_server t_important p_major
                      pid: 1282 logid: 0 cmd: 'entrelayd' hostname: NODE01.mcafee.lab
                      information: service policy connect to host NODE02.mcafee.lab

                      2013-08-29 18:07:52 -0400 f_daemond a_server t_info p_major
                      pid: 138 logid: 0 cmd: 'daemond' hostname: NODE01.mcafee.lab
                      event: stopping service reason: Shutting down 'sshd(2)' (1280)

                      2013-08-29 18:07:52 -0400 f_daemond a_server t_info p_major
                      pid: 138 logid: 0 cmd: 'daemond' hostname: NODE01.mcafee.lab
                      event: stopping service reason: Shutting down 'sshd(3)' (1281)

                      2013-08-29 18:07:52 -0400 f_syslog_auth a_general_area t_info p_trivial
                      pid: 1280 logid: 0 cmd: 'sshd' hostname: NODE01.mcafee.lab
                      information: <38>Aug 29 18:07:52 sshd[1280]: Received signal 15; terminating.

                      2013-08-29 18:07:52 -0400 f_syslog_auth a_general_area t_info p_trivial
                      pid: 1281 logid: 0 cmd: 'sshd' hostname: NODE01.mcafee.lab
                      information: <38>Aug 29 18:07:52 sshd[1281]: Received signal 15; terminating.

                      2013-08-29 18:07:52 -0400 f_daemond a_server t_info p_major
                      pid: 138 logid: 0 cmd: 'daemond' hostname: NODE01.mcafee.lab
                      event: starting service reason: Starting 'sshd(2)' (1368): '/usr/sbin/sshd'

                      2013-08-29 18:07:52 -0400 f_daemond a_server t_info p_major
                      pid: 138 logid: 0 cmd: 'daemond' hostname: NODE01.mcafee.lab
                      event: starting service reason: Starting 'sshd(3)' (1369): '/usr/sbin/sshd'

                      2013-08-29 18:07:52 -0400 f_syslog_auth a_general_area t_info p_trivial
                      pid: 1368 logid: 0 cmd: 'sshd' hostname: NODE01.mcafee.lab
                      information: <38>Aug 29 18:07:52 sshd[1368]: Server listening on 10.0.0.111 port 22.

                      2013-08-29 18:07:52 -0400 f_syslog_auth a_general_area t_info p_trivial
                      pid: 1369 logid: 0 cmd: 'sshd' hostname: NODE01.mcafee.lab
                      information: <38>Aug 29 18:07:52 sshd[1369]: Server listening on 10.2.0.101 port 22.

                      2013-08-29 18:07:52 -0400 f_syslog_auth a_general_area t_info p_trivial
                      pid: 1368 logid: 0 cmd: 'sshd' hostname: NODE01.mcafee.lab
                      information: <38>Aug 29 18:07:52 sshd[1368]: Server listening on 10.0.0.50 port 22.

                      2013-08-29 18:07:52 -0400 f_syslog_auth a_general_area t_info p_trivial
                      pid: 1369 logid: 0 cmd: 'sshd' hostname: NODE01.mcafee.lab
                      information: <38>Aug 29 18:07:52 sshd[1369]: Server listening on 10.2.0.50 port 22.
                      (END)

                       

                      NODE01:Admn {6} % cf int q

                      interface modify entrytype=nic name=em0 mac_addr=000c29bfb28f \

                          iftype=autoselect \

                          iftypelist='autoselect,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP' \

                          ifcap=rxcsum,txcsum ifcaplist=rxcsum,txcsum,jumbo_mtu

                      interface modify entrytype=nic name=em1 mac_addr=000c29bfb299 \

                          iftype=autoselect \

                          iftypelist='autoselect,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP' \

                          ifcap=rxcsum,txcsum ifcaplist=rxcsum,txcsum,jumbo_mtu

                      interface modify entrytype=nic name=em2 mac_addr=000c29bfb2a3 \

                          iftype=autoselect \

                          iftypelist='autoselect,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP' \

                          ifcap=rxcsum,txcsum ifcaplist=rxcsum,txcsum,jumbo_mtu

                      interface modify entrytype=nic name=em3 mac_addr=000c29bfb2ad \

                          iftype=autoselect \

                          iftypelist='autoselect,1000baseT,1000baseT full-duplex,100baseTX full-duplex,100baseTX,10baseT/UTP full-duplex,10baseT/UTP' \

                          ifcap=rxcsum,txcsum ifcaplist=rxcsum,txcsum,jumbo_mtu

                      interface add entrytype=interface name=HB hwdevice=em3 enabled=yes \

                          v6_enabled=no v6_autoconf=static zone=HB span_enabled=no \

                          addresses=10.1.0.50/24 member_addresses=10.1.0.111/24 qos_profile='' \

                          mtu=1500 cluster_mac=01:00:5e:4d:36:0a l2_mode=multicast \

                          monitor_allowed_failures=3 monitor_interval=30 monitor_link=1

                      interface add entrytype=interface name=MGMT hwdevice=em2 enabled=yes \

                          v6_enabled=no v6_autoconf=static zone=MGMT span_enabled=no \

                          addresses=10.2.0.50/24 member_addresses=10.2.0.101/24 qos_profile='' \

                          mtu=1500 cluster_mac=01:00:5e:3a:5b:cf l2_mode=multicast \

                          monitor_allowed_failures=3 monitor_interval=30 monitor_link=1

                      interface add entrytype=interface name=external_network hwdevice=em0 \

                          enabled=yes v6_enabled=no v6_autoconf=static zone=external \

                          span_enabled=no addresses=192.168.200.230/24 \

                          member_addresses=192.168.200.229/24 qos_profile='' mtu=1500 \

                          description='Default external network interface' \

                          cluster_mac=01:00:5e:52:3d:6f l2_mode=multicast \

                          monitor_allowed_failures=3 monitor_interval=30 monitor_link=1

                      interface add entrytype=interface name=internal_network hwdevice=em1 \

                          enabled=yes v6_enabled=no zone=internal span_enabled=no \

                          addresses=10.0.0.50/24 member_addresses=10.0.0.111/24 qos_profile='' \

                          mtu=1500 description='Default internal network interface' \

                          cluster_mac=01:00:5e:6c:14:49 l2_mode=multicast \

                          monitor_allowed_failures=3 monitor_interval=30 monitor_link=1

                       

                      NODE01:Admn {7} % ifconfig -a

                      em0: flags=2008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

                              options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>

                              ether 00:0c:29:bf:b2:8f

                              inet 192.168.200.230 netmask 0xffffff00 broadcast 192.168.200.255 cluster

                              inet 192.168.200.229 netmask 0xffffff00 broadcast 192.168.200.255

                              maclabel secureos/external

                              media: Ethernet autoselect (1000baseT <full-duplex>)

                              status: active

                      em1: flags=2008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

                              options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>

                              ether 00:0c:29:bf:b2:99

                              inet 10.0.0.50 netmask 0xffffff00 broadcast 10.0.0.255 cluster

                              inet 10.0.0.111 netmask 0xffffff00 broadcast 10.0.0.255

                              maclabel secureos/internal

                              media: Ethernet autoselect (1000baseT <full-duplex>)

                              status: active

                      em2: flags=2008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

                              options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>

                              ether 00:0c:29:bf:b2:a3

                              inet 10.2.0.50 netmask 0xffffff00 broadcast 10.2.0.255 cluster

                              inet 10.2.0.101 netmask 0xffffff00 broadcast 10.2.0.255

                              maclabel secureos/MGMT

                              media: Ethernet autoselect (1000baseT <full-duplex>)

                              status: active

                      em3: flags=2008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

                              options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>

                              ether 00:0c:29:bf:b2:ad

                              inet 10.1.0.50 netmask 0xffffff00 broadcast 10.1.0.255 cluster

                              inet 10.1.0.111 netmask 0xffffff00 broadcast 10.1.0.255

                              maclabel secureos/HB

                              media: Ethernet autoselect (1000baseT <full-duplex>)

                              status: active

                      lo0: flags=6008049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

                              options=1<RXCSUM>

                              inet 127.0.0.1 netmask 0xff000000

                              inet6 ::1 prefixlen 128

                              nd6 options=1<PERFORMNUD>

                              maclabel secureos/Firewall

                      lo2: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

                              options=1<RXCSUM>

                              inet 127.2.0.1 netmask 0xff000000

                              maclabel secureos/internal

                      lo1: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

                              options=1<RXCSUM>

                              inet 127.1.0.1 netmask 0xff000000

                              maclabel secureos/external

                      lo3: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

                              options=1<RXCSUM>

                              inet 127.3.0.1 netmask 0xff000000

                              maclabel secureos/MGMT

                      lo4: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

                              options=1<RXCSUM>

                              inet 127.4.0.1 netmask 0xff000000

                              maclabel secureos/HB

                      lo5: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

                              options=1<RXCSUM>

                              inet 127.5.0.1 netmask 0xff000000

                              maclabel secureos/VPN

                      • 8. Re: SSH connection refused to NODE01 in cluster config
                        sliedl

                        The audit says it's listening on 10.0.0.50 now on port 22.  Strange.


                        What is the subnet-mask on your PC?  Not that it should really matter since it seems to be hitting the firewall.

                        • 9. Re: SSH connection refused to NODE01 in cluster config
                          krzysztof.anzorge

                          Right. Now NODE01 listening on 10.0.0.50 (port 22).

                          Maybe because on some minutes ago you asked me to run command :

                           

                          NODE01:Admn {2} % cf daemond restart agent=ssh_server

                           

                          Maybe after this command SSH Daemon started OK.

                           

                          Now I try to reboot NODE01 and will see...

                           

                          KA

                          1 2 Previous Next