SSH through s CSM

Similar Messages

• Solaris 10 ssh through a firewall

  I have Solaris 10 up and running on an HP Vectra. Everything is fine until I attempt to ssh through my firewall from the outside world.
  I can ssh from my linux systems on the lan. But when I attempt to ssh from outside using either putty or ssh on another solaris 10 system the connection times out.
  Anyone else experience a similar problem? Many thanks in advance.
  John Wright
  Asst Professor
  CIT
  Bellevue University

  It's hard to tell what's going on without some more information. Here're a few things you can try:
  Run "ssh localhost" from the Solaris box and make sure that works.
  ssh to the Solaris box from another box on the same network segment.
  From the site that doesn't work, do "ssh -v solaris_box" and see if that gives you any clues.
  After trying to ssh from outside, do a "netstat -an |grep -i '*.22' and see the state of the TCP connection
  (or if the first packet never even makes it).
  Run sshd on the Solaris box with with the "-d" debug option.

• SSH through http proxy

  Hi,
  Currently I have to pass all traffic through a http proxy that only lets ports 25, 80 and 443 through.
  I'd like to ssh to a machine in our office outside of the above network and using Putty on Windows I can set the proxy details with username and password and it works fine as I have set my listing machine to use port 443.
  How can I achieve the same access through the proxy with ssh on Mac? I have tested that ssh with port 443 works when not using the proxy so it seems the proxy is the issue.

  You could use Corkscrew
  <http://wiki.kartbuilding.net/index.php/Corkscrew-_ssh_overhttps>
  You might also look into Hamachi (VPN)
  <http://www.macupdate.com/app/mac/36286/logmein-hamachi>
  Message was edited by: BobHarris

• SSH through script

  Hi experts,
  I am using AIX with 10g database.
  I need to write a script (SSH) to copy my database alert_log file (last 15 lines) into a new file say abc.txt and again need to copy this abc.txt to my dataguard side. Dataguar side have same OS with same database.
  example:
  On $ prompt if I execute the command:
  cat alert | ssh blrorn1 "cat >> /d05_proddbx/oraprod/abc.txt"
  oraprod@blrorn1's password:
  It ask for password,
  Any idea that how to set this password in script so that it allow me copy without asking password ????
  thanks in ADV !!!

  user9141007,
  You need to do two things.
  First, use the right tool for the job. Use either Secure Copy (scp) or RSYNC to copy the alert log. For example:
  scp /path/to/my/alert.log oracle@blrorn1:/d05_proddbx/oraprod/abc.txt
  or
  rsync -ave ssh /path/to/my/alert.log oracle@blrorn1:/d05_proddbx/oraprod/abc.txt
  Either command will copy your alert.log file to the /d05_proddbx/oraprod directory as the oracle user on the blrorn1 server and name it abc.txt. Generally, if I have one file to move I use scp. If I've got more I use rsync.
  Second, as several others have said you need to create an SSH certificate. Doing so is pretty simple, just type on the source server ...
  ssh-keygen -t rsa
  and since you are going to be using this in a script just hit the <Enter> key when it wants to assign a password to the certificate. If you have a recent SSH distribution, you'll have the ssh-copy-id command which automates copying the certificate...
  ssh-copy-id -i $HOME/.ssh/id_rsa.pub oracle@blrorn1
  If you don't have the ssh-copy-id command you'll have to do it manually. Copy the certificate that ssh-keygen created to the destination server. The certificate should be on the source server in the file $HOME/.ssh/id_rsa.pub and needs to be copied into the file $HOME/.ssh/authorized_keys on the destination server (make sure you add it to the existing file and not replace the existing file).
  There are lots of examples on the web of doing this, but thats it in a nutshell.
  Thanks,
  Kevin Ferlazzo
  DBA
  VA Department of Juvenile Justice

• Adding a new FWSM context through CSM

  Hi,
  I have a Multi-Context FWSM ver 4.0 and a CSM ver 3.3.1 to manage it.
  I need to know is there any know issue when creating a new context through the CSM UI !!!
  By the way, the devices (FWSM and CSM) user accounts are managed by an ACS ver 4.2
  Best regards,
  Akram

  Hi Akram.
  here is the user guide section on how to add contexts on the latest csm 4.0.1:
  http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0.1/user/guide/pxcontexts.html
  For known open bugs list affecting this version, you can check the release notes:
  http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0.1/release/notes/csmrn401.html#wp835872
  from that list, i see CSCtd60804 affects 4.0.1 . this can be a problem if you are deploying to an active/active setup.
  Regards,
  Fadi.
  Does this answer your question? if yes, please mark it as resolved.

• FTP service through CSM: Quit command not working

  Greetings all
  I've been testing FTP service through our CSM for about a day now and has run into an issue I can't find an answer for.
  Here are the settings I'm currently using for the vserver and serverfarm. The 10.90.1.0 network is routed from my client network by a firewall using NAT.
  serverfarm APPFARM
  nat server
  no nat client
  predictor leastconns
  real 10.91.1.155
  inservice
  probe ICMPCHECK
  vserver APPFTP
  virtual 10.90.1.40 tcp ftp service ftp
  serverfarm APPFARM
  persistent rebalance
  inservice
  Connecting to the FTP works just fine using both passive and active FTP and I can log in and transfer files. However when I send the "quit" command to the FTP server, as I do when connecting to the server directly, the session freezes and the "good bye" messages never appears.
  My guess is that there is some premature termination of the connection before a final disconnect is sent to my FTP client. Anyone have an idea how this can be solved?
  Regards
  Fredrik Hofgren

  Fredrik,
  first time I see this.
  Could you capture a sniffer trace of csm portchannel showing what happens before, during and after the Quit.
  Also, there is way to achieve ftp loadbalancing without the need to use 'service ftp'. You'll get much better performance if you do not use this function.
  All you need is configure loopback on your servers using the vip address so they can advertise the right ip in the control channel fo the client to open the data channel.
  You then need a generic vserver to catch all possible port and by using stickyness you can guarantee that the control channel and the data channel are both sent to the same server.
  Gilles.

• Unable to ssh Opensuse 12.3 VM after restart

  After successful provisioning of an OpenSuse 12.3 instance, I was able to ssh through putty. However, after restarting the VM through the management portal, I am unable to ssh to my server through putty. "Network Connection Timed out" error. Only
  peculiar thing that I have noticed is that the hostname is blank in VM->Dashboard.
  I am using the "SSH  Details" value to ssh and not the Virtual IP address.

  Hi,
  Thanks for your reply.
  If the host name of the VM is lost, in general, it is impossible to connect to the VM.
  If the issue persists after restart and you have no importance data in the temporary driver(D:) on the VM, maybe you can delete the VM and keep the attached disks, then recreate a new VM using that disk. (Please note that after recreating the VM, the data on the
  D: of the previous VM would be lost)
  In addition, if the above solution is not helpful, I recommend you to contact Azure support by submiting a support ticket to better analyze this issue and you won't be charged if this issue is caused by Azure.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Load Balancing FTP Server thru CSM using a single Client IP

  Hello,
  We have a need to load balance 3 FTP servers. These servers are reached only from a single client IP which is a database server. The FTP method that is being used is currently passive. Our configuration is currently unidirectional, ie, the FTP client (the one database server) sends to the VIP and the FTP Servers then talk directly back to the FTP client and the traffic does not go back through the CSM. The problem is that because FTP negotiates another port to talk on, we have to use sticky so that the connection is sent back to the original FTP server that sent the FTP data port to talk on. But, since we only have a single client IP that is ever used we are not load balancing appropriately across the FTP servers.
  Traffic flow goes something like this, tcp port followed after colon as an example
  1. FTP Client ----> VIP:21
  2. CSM ---------> FTP Server:21
  3. FTP Server --------> FTP Client(FTP server says come talk to me on port 1700)
  4. FTP Client ---------> VIP:1700
  5. CSM ---------> FTP Server:1700
  6. FTP Server:1700 ---------> FTP Client
  repeat steps 4 thru 6
  Here's our hardware and software:
  WS-X6066-SLB-APC running 4.2(2)
  Config is as follows
  module ContentSwitchingModule 9
  ft group 101 vlan 9
  priority 10
  vlan 216 client
  ip address 10.209.16.31 255.255.252.0
  gateway 10.209.16.1
  vlan 20 server
  ip address 10.209.0.31 255.255.252.0
  alias 10.209.0.11 255.255.252.0
  probe ICMP1 icmp
  interval 3
  failed 3
  receive 3
  serverfarm FHEPRT
  no nat server
  no nat client
  real 10.209.0.72
  inservice
  real 10.209.0.73
  inservice
  real 10.209.0.71
  inservice
  probe ICMP1
  sticky 106 netmask 255.255.255.255 address source timeout 3
  policy FHEPRT_POL1
  sticky-group 106
  serverfarm FHEPRT
  vserver FHEPRT1
  virtual 10.209.16.71 any
  vlan 216
  unidirectional
  serverfarm FHEPRT
  replicate csrp connection
  no persistent rebalance
  slb-policy FHEPRT_POL1
  inservice

  You are missing "service ftp" config in the Vip definition. Try the following
  vserver FHEPRT1
  virtual 10.209.16.71 tcp ftp service ftp
  Syed Iftekhar Ahmed

• CSM - service ftp not working in dispatch mode

  I'm trying to convert my CSM load-balancing environment from directed to dispatch mode. I've had success with normal telnet traffic but run into problems with FTP.
  My real servers are layer-2 adjacent to the switch.
  My config looks like this:
  ip slb vlan 19 client
  ip address 176.11.16.11 255.255.240.0
  ip slb vlan 9 server
  ip address 176.11.48.11 255.255.240.0
  serverfarm FTP
  no nat server
  no nat client
  real 176.11.48.104
  real 176.11.48.110
  vserver FTP
  virtual 176.11.16.12 tcp ftp service ftp
  no unidirectional
  serverfarm FTP
  I've put a sniffer on the server side vlan and I can see this pattern:
  1) Client SYN pkt goes through CSM, gets
  routed to server.
  2) Server responds with SYN/ACK, but this packet goes directly back to the client (not through the CSM, because I'm not NATing)
  3) Client responds with the final ACK, which goes to the CSM, but the CSM eats the packet. When I turn on debug module csm 11 ftp, I see that each time the final ACK is received by the CSM, it outputs these lines:
  May 4 20:48:06.758 UTC: CSM11: called slowpath_ftp_rx
  May 4 20:48:06.758 UTC: CSM11: no session for ftp rx
  the CSM conn display shows:
  prot vlan source destination state
  In TCP 19 176.11.16.103:1131 176.11.16.12:21 ESTAB
  Why doesn't the ACK get processed and sent to the correct server by the CSM?
  One additional note: I also tried this same scenario but without specifying 'service ftp' on the virtual server defintion. In that case, the control connection comes up fine but any attempt to bring up a data connection fails (times out). But then again, that's the whole point of 'service ftp', right?

  the problem is your point #2.
  If you do service ftp, the CSM expects to terminate the connection from the client and open a new one with the server.
  This is how the csm can listen to all the info passed between client and server.
  Moreover, the csm will need to see the server response to identify which port the server will be listening on for data connection.
  So, definitely not a good idea to do direct server return with this type of config.
  You should remove the 'service ftp' command and have anothe vserver to catch all data traffic. You could use a vserver with no tcp port or port 20 if your servers are configured to only use port 20.
  You can then use sticky-srcip to make sure the control channel and data channel are sent to the same server.
  Gilles.

• CSM Bridged mode config issue

  I currently have a CSM that is load balancing two web servers.  Everything working great.  I have two new web servers that are being used for a different system so I basically copied the old config, changed the names of the vservers, serverfarms and policies and expected the same result as the first.
  What is happening is that when I ping the VIP, it gets redirected to one of the reals but then the real responds back instead of the VIP.
  Not sure why that is happening.

  Sean,
  When you said "Typically, the rservers would use the same gateway you have configured on the client VLAN.  The important thing to make sure of, is that you must make sure that the ONLY for these rservers to reach their gateway is through the CSM that is bridging the servers' VLAN to that client VLAN."
  Now I assume you meant to say "Typically, the rservers would use the same gateway you have configured on the client VLAN.  The important thing to make sure of, is that you must make sure that the ONLY way for these rservers to reach their gateway is through the CSM that is bridging the servers' VLAN to that client VLAN.
  Well, I have a working bridging configuration for a different system and I have found that the real servers in my server vlan do have the client vlan IP address... But the server vlan is in fact a layer 2 vlan, it does not have it's own gateway so it has no other way out other than through the CSM and to the client vlan gateway, just as you said.
  What I have found is that the server vlan for my new set up actually has its own gateway.  Because of other servers in this vlan I cannot do away with it.  So, I looked at an ealier post where you stated" If the adding source-NAT resolves the issue, then you know that asymmetric routing was your problem.  One solution would be to leave the source-NAT config in permanently.  The other would be to set the default gateway of your new servers to the CSM interface, and another would be to use policy-based routing."
  The two solutions I am interested in is the client nat and the setting of the default gateway of the new servers to the CSM interface.  Exaclty what interface are you referring?  Are you referring to the IP address that bridges the client and server vlan together?
  Regarding your client nat example, you mentioned that the client nat address is owned by the CSM, but in your example config I did not see that IP address at all so I am a little confused as to how the csm owns this IP.
  I really appreciate your responses!

• Portal Landscape - With 2 CSM (load balance) related question

  Hi,
    We are currently having a portal landscape (Dev, QA -2 app servers, PRD - 4 app servers). The load balancing happens on Production Portal using CSM (load balancer) and it does SSL offloading for security encryption and it lands onto one of the application servers. When we try to login to portal it authenticates using the LDAP (OID). And we have some links which takes to backend R/3, BW etc (we use SAP load balance using SMLG logon group)
  Now due to another special project the following is what we are planning:
  1. Adding couple of more application servers for production portal or having seperate second portal landscape itself
  2. Adding couple of more application servers for R/3 production server (load balance can be done with special logon group for that)
  Questions are:
  1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
  2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will happen to the login authentication happened through the first portal and SSO ticket ?
  3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave when same id comes as part of SSO.
  Or if anyone thinks of any other issue apart from SSO or encryption related things which i need to be aware of, kindly let me know.
  Thanks,
  Murali.

  I am not sure what CSM is, but I would expect it only does ssl offloading and a sort of "reverse proxy" against the cluster.
  >1. When we land into current production portal page and click a iview link for the special project it should go only to those special portal app servers (planning to do through another CSM) and from their to backend R/3. In this >scenario how the authentication (or sso ticket) happens when it goes from CSM to another CSM, will it ask for login again or any issue will happen with SSO ticket ?
  This depends on the host name you use for the two CSM clusters. If they have the same subdomain, there should be no problem as the SAP Logon Ticket (MYSAPSSO2) cookie is issued to the sub domain of the portal.
  If they do not have the same subdomain, the second CSM cluster will receive the request without the MYSAPSSO2 cookie, and will therefore trigger reauthentication.
  >2. If we decide to go for second portal landscape and in the same scenario when login to current prod portal page and click a iview link for the special project it should go to that another production portal,in that case what will >happen to the login authentication happened through the first portal and SSO ticket ?
  It will fail, as the MYSAPSSO2 cookie from the first portal is not recognized in the second. However, you can easily setup so that the second portal trusts the first and does a logon based on its credentials
  >3. Suppose if we go to the second production portal directly through a website and if the user tries to login using the same id to first portal how portal will deal in terms of security (SSO) and also how backend R/3 will behave >when same id comes as part of SSO.
  I assume both portal will be setup against the same LDAP/UME source. Therefore it will allow the logon. The backend systems should trust both the first and second portal (STRUSTSSO2 transaction)
  I think your architecture choice comes down to if the new project has special considerations with regards to versioning of portal. If it does, it would be sensible to separate it into a separate portal (and you can always integrate them with the first portal through portal federation if you have a relatively new version).
  Regards
  Dagfinn

• SSH basics - help needed

  I'm new to networking, so bear with me. Here is what I am trying to do:
  I would like to get to websites that are blocked by a corporate firewall (websense). (I take full responsibility for what I am doing and am not putting myself at risk - don't worry).
  It seems like I could use SSH to connect to my home internet connection thus bypassing the firewall.
  Is that true? If so, what do I need to do?
  Here's my equipment - 2 Macbook Pros, one fuctioning as a desktop at home, one portable. Airport Extreme N router (not gigabit). Comcast home cable internet.
  I just downloaded a program salled SSHTunnel that sounds like it should help, but I don't know where to start.

  The easy route.
  Use TeamViewer <http://teamviewer.com>. Leave TeamViewer running on your home Mac. It will display a "Wait for session ID". Copy that session ID number, and take it with you to work.
  On your work system, run another copy of TeamViewer (there are both PC and Mac versions).
  Configure the work TeamViewer with your corporate Proxy settings
  TeamViewer -> Preferences -> General -> Proxy Settings...
  Now on your work TeamViewer enter the Wait for session ID you got from your home system, and enter that in your work system's Create session ID field. Then click Connect to Partner button.
  This is the easiest way I know about.
  The HARD WAY: You can do this via ssh, but there are a lot more detailed steps.
  1st question. Does your company allow "Out-Bound" ssh connections? If it does, that helps a lot. If they DO NOT, then you would need to mess with an OpenSource program called "Corkscrew" that will get ssh through a proxy server.
  Once you get through the firewall, then you will need to get a dynamic DNS name for your home system. No-IP.com and DynDNS.org offer free dynamic DNS names. You use this so you do not need to worry about your ISP changing your home IP address.
  Now you need to configure your home router so it Forwards Port 22 from the internet side to your destination Mac.
  On your destination Mac, you need to enable System Preferences -> Sharing -> Remote Login, and while you are at it, you should enable screen sharing preference.
  Now on your work system, you ssh to your home system. The form of the command depends on whether you need to use corkscrew or not.
  Without corkscrew:
  ssh -L 5901:localhost:5900 [email protected]
  With corkescrew:
  ssh -L 5900:localhost:5900
  -o 'ProxyCommand /path/to/corkscrew proxy.server.address 8080 %h %p'
  [email protected]
  Now you have an ssh tunnel which you can run screen sharing across. Using a VNC client. On a Mac you can use:
  Finder -> Go -> Connect to server
  vnc://localhost:5900
  If using a 3rd party VNC client, you still specify localhost and port 5900 as these what the ssh tunnel established as the path to the remote Mac's VNC server.
  Now you should be able to use your home Mac and its browser to surf anywhere you like.
  If you wish to increase your complication, you could use ssh to create a SOCKS proxy. You would add the following to your ssh command:
  -D 12345
  Then you configure your bowser to use the SOCKS proxy server via port 12345

• FWSM and CSM (Load Balance) in the same chassi

  Folks,
  Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?
  PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ
  PATH:
  (outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM  , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM
  My main doubts:
  1) FWSM using multi-context, Is there any integration problem with CSM ?
  2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?
  3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?
  Cisco Says:
  "The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,
  Cisco recommends forcing the FWSM to operate in bus mode using the
  fabric switching-mode force bus command. When service modules such as the CSM and the FWSM
  operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."
  In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.
  Tks !!!

  Luis-
  You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP.  On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.
  Regards,
  Chris

• Ssh via vpn not working in Snow Leopard

  On a MacBook Pro with Snow Leopard, I want to log into a remote server on my employer's lan via ssh over a vpn connection. The vpn works because I can access a local twiki on that lan with no problem, but I can't run ssh or even ping. This is not a DNS issue because it happens even with explicit numerical IPv4 addresses.
  On an older G4 iBook with Tiger, ssh and ping both work. I can run the two laptops side by side with simultaneous VPN connections; and Tiger will succeed, but Snow Leopard fails. Turning off the firewall on the MacBook Pro makes no difference. Could someone please give me an idea of what is going on?
  I can't get help from my employer's IT staff because we are a Windows operation and would just as soon switch me over to Windows 7. Thanks.
  Clint

  My problem seems to be due to an advanced option in the Snow Leopard VPN preference to "Send all traffic over VPN connection." The domain that I was trying to reach is actually not on my company LAN, but successful ssh'ing to it seems to require that the request to come from a LAN IP address. Without the traffic redirection option, Snow Leopard tries to invoke ssh through my home IP address, which will then time out without making a connection. I think that Tiger automatically redirects traffic to the VPN whenever it is active.
  (Note that when setting a VPN preference, it does not go into effect until after leaving the Network preference pane.)

• Can't add MARS device to CSM

  I'm trying to add a MARS to a fresh install of CSM 3.2.0 through the CSM client.
  I constantly get the message:
  Connection with CS-MARS failed.
  Incorrect username or password.
  Make sure the CS-MARS username and password are valid.
  I'm sure that the credentials are OK.
  I even created a new user in MARS dedicated to CSM.
  The strange thing is that MARS doesn't have any logs of these login failures.
  Here's a screenshot of the error:
  https://dl.getdropbox.com/u/67172/Invalid_credentials_full.PNG

  Hi
  Please check the following from the screen shot I understand that you are trying to add the MARS using a Global account
  1) Make sure that you are able to login to GC or LC using this account.
  2) If you are trying to add the LC to CSM using the GC account, make sure the User account replicted to the LC.
  3) If you are trying to add a CS-MARS using useraccount which is integrated with AAA then check for Global Controller Considerations with External AAA Servers under
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/authen.html