一、问题描述
USG6600 版本信息:V500R005C00SPC200
PC使用SSH登陆防火墙,显示登陆超时,登陆界面无反应。
二、处理过程
2.1 查看防火墙的配置,没有发现有什么异常,Pc地址为:10.x.z.72
//已经开启stelent服务
[HUAWEI]display tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
1f82da78 104/1 0.0.0.0:21 0.0.0.0:0 -1 Listening
d595f70c 183/4 0.0.0.0:22 0.0.0.0:0 -1 Listening
eb6088b4 85 /1 0.0.0.0:8443 0.0.0.0:0 -1 Listening
//protocol inbound已经开启SSH
user-interface con 0
authentication-mode aaa
user-interface aux 0
user-interface vty 0 4
acl 2500 inbound
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
//ACL 2500已经添加登陆PC的IP地址
[HUAWEI]acl 2500
rule 5 permit source 10.x.y.0 0.0.0.255 (344 times matched)
rule 10 permit source 10.x.x.0 0.0.15.255 (2404 times matched)
rule 15 permit source 10.x.z.72 0 (0 times matched)
rule 1000 deny (0 times matched)
//ssh server acl 2500
//aaa视图下的用户也已经配置了service-type ssh
//接口配置信息如下:
interface Eth-Trunk1.2
vlan-type dot1q 3111
ip address 10.x.x.156 255.255.255.248
vrrp vrid 2 virtual-ip 10.x.x.158 active
service-manage ping permit
service-manage ssh permit
2.2 查看防火墙会话信息,发现登陆PC给防火墙发了SYN报文,但是防火墙没有回应。
ssh VPN: public --> public ID: b681f97df070d0c0f8d059a85288082
Zone: net_manage --> local Slot: 8 CPU: 2 TTL: 00:00:05 Left: 00:00:01
Recv Interface: Eth-Trunk1.2
Interface: InLoopBack0 NextHop: 127.0.0.1
<--packets: 0 bytes: 0 --> packets: 1 bytes: 40
10.x.z.72:33449 --> 10.x.x.158:22 PolicyName: ---
TCP State: connecting
Debugging没有打印任何信息。
debugging ssh server all all
t m
Info: Current terminal monitor is on.
t d
Info: Current terminal debugging is on.
2.3 无意中发现ACL 2500绑定了vpn-instance,将vpn-instance去掉后就可以登陆正常。
display acl 2500
Basic ACL 2500, 4 rules,binding with vpn-instance bmc ( Reference counter 0 )
Security acl for user login vulnerability
Acl's step is 5
rule 5 permit source 10.x.y.0 0.0.0.255 (344 times matched)
rule 10 permit source 10.x.x.0 0.0.15.255 (2404 times matched)
rule 15 permit source 10.x.z.72 0 (0 times matched)
rule 1000 deny (0 times matched)
三、根因
由于防火墙Eth-Trunk1.2接口没有绑定vpn-instance,所以这个接口是在根墙下的,如果ACL 2500绑定了vpn-instance,系统在user-interface vty 0 4下的ACL 2500里是查不到的,所以系统继续在其它user-interface vty里进行查找,但是由于现网没有配置其它的user-interface vty,所以导致登陆不上。
四、解决方案
方案1:将ACL 2500去掉绑定vpn-instance。
方案2:增加一个未绑定vpn-instance的ACL,例如ACL 2600,将登陆PC IP地址添加进去。然后在user-interface vty 5 8里进行引用,例如:
acl 2600
rule 5 permit source 10.x.z.72 0
rule 1000 deny
user-interface vty 0 4
acl 2500 inbound
authentication-mode aaa
protocol inbound ssh
user-interface vty 5 8
acl 2600 inbound
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20