openssh windows to different subnet via M470

Hi,
I have setup M470 with 3 interfaces:
- interface#1 : external which connected to ISP
- interface#2 : trusted with IP 192.168.0.252 to network 192.168.0.0/24
- interface#3 : optional with IP 192.168.12.252 to network 192.168.12.0/24
I can ssh from trusted to a machine (192.168.12.3) in optional interface with Ubuntu and Centos, but always got disconnected while using OpenSSH or Putty from windows 10. The latter always success in login, but after a while (~10 secs) are always got disconnected with error 10060
However I can normally ssh to 192.168.12.3 via external network with same windows machine, Firebox is configured with SNAT from external to optional so I use ISP IP address.
Compared SSH debug from both Linux and windows they have difference in IP_TOS 0x10 which only set by linux machine and not windows.

  1. windows ssh is normal to same subnet
  2. Firewall policy for 192.168.12.0 is allowed for port 22
  3. No firewall policy from 192.168.12.0/24 to 192.168.0.0/24
  4. I have tried to set source IP to 192.168.12.252 but no effect
  5. No QoS is set in the firebox

How can I set Firebox to be able to locally SSH from windows machine?

Thanks.
ardianir

Answers

  • edited September 2019

    deleted

  • To what are you SSHing to?
    Error 10060 indicates a timeout, which suggests that the SSH server is causing this. Perhaps there is a setting on the SSH server to increase the timeout value.

    In Putty -> Connections, try selecting "Enable TCP keepalives"

  • Hi Bruce,
    I am SSH to an Ubuntu machine. If I SSH from same windows machine inside 192.168.12.0 network it is normal. The problem happens only if I SSH from different subnet
  • There is a default timeout for TCP connections - which is 60 mins.
    So I don't know of any reason why this session should be timing out when going through the firewall.

    You can set a custom idle timeout on your SSH policy - maybe it will help.

    And perhaps packet captures can help explain the issue.

  • Hi Bruce,

    I did a tcpdump on server side, the difference between linux client and windows client is on TCP window scaling. Linux client uses scaling 7 and I tried to change windows but it has preset values, for example normal one is scaling 8. There is no 7 on windows.

    I changed tcp scaling on firebox to 8, however the problem still exists.

    I tried timeout etc but the problem still there.

    Any other idea?

    Thanks.
    Regards
  • No other thoughts.
    Consider opening a support incident on this.

Sign In to comment.