ONTAP Discussions

Issue with SSH to nas Vserver

elic_co
5,671 Views

Hey,

I have a cluster consisting of 4 nodes, two "long existing" FAS9000 and 2 recently added A200.

All nodes are running 9.5P8.

Now I have a NAS vserver providing CIFS & NFS services.

The vserver has 1 mgmt ip with data role and none data-protocols, and 4 data ips (one on each node) with cifs and nfs data-protocols and data firewall policy.

the issue is that the ips that reside on nodes 1&2 are reachable through ssh although ssh is not permitted in the firewall policy.

lifes 3&4 that are newer and reside on the A200 (created after 1&2) are not reachable through ssh and the configuration for all the lifs seem to be identical.

I tried to bring lifs 1&2 down for a few seconds and then up and also change their firewall policy to mgmt and then back to data but it didn't help.

Does anyone have an idea why this might happen and how to resolve this?

Thanks!

1 ACCEPTED SOLUTION

elic_co
5,447 Views

Hey, I was able to figure it out with a little help from a friend as the song says 🙂

It was "system services firewall show"

the firewall was off for nodes 1+2 and on for 3+4

I guess it is because of upgrades from old versions of ontap on nodes 1+2, I also notich these behaviors on other clusters that were upgraded.

I haven't changed it to on yet but i will do it in the next few days and see if it helps

 

thanks a lot for the help

View solution in original post

5 REPLIES 5

Ontapforrum
5,619 Views

Hi,

 

Could you share this output:

::> system services firewall policy show
::> network interface show -fields firewall-policy,lif,address

 

Note:firewall-policy 'mgmt' applies to both node-mgmt & cluster-mgmt.

elic_co
5,519 Views

Thanks for the help.

 

system services firewall policy show:

 

data:

dns         0.0.0.0/0

ndmp    0.0.0.0/0

ndmps  0.0.0.0/0

portmap 0.0.0.0/0

 

mgmt:

dns             0.0.0.0/0

http            0.0.0.0/0

https          0.0.0.0/0

ndmp        0.0.0.0/0

ndmps      0.0.0.0/0

ntp              0.0.0.0/0

portmap   0.0.0.0/0

snmp          0.0.0.0/0

ssh               0.0.0.0/0

 

all under allowed tab

 

net int show -fields firewall-policy,lif,address

 

vserver   lif         address    firewall-policy

-------------------------------------------------------

vs-nas    mgmt     x.x.x.a    mgmt

vs-nas    nas1       x.x.x.b     data

vs-nas    nas2       x.x.x.c     data

vs-nas    nas3       x.x.x.d     data

vs-nas    nas4       x.x.x.e     data

Ontapforrum
5,506 Views

Hi,

 

Thanks for the output.

 

Looking at the output, looks like there are no restriction from the filer side, all clients are allowed to 'ssh' into cluster-mgnt,node-mgmt and data-lif.

 

Could  you verify the following :

 

1) Is Windows firewall policy - outbound tcp 22 is denied from where you are trying to ssh?
If so, then you will straight away see - Network error: Access denied.


2) What is the output of the following in your filer:

 

For example: I am on ONTAP 9.6, if you observe the output below, firewall-policy is 'data' just as in your case, but under services it allows 'management-ssh'. Therefore i am able to ssh to data LIF.

ONTAP96::> network interface show -role data -fields firewall-policy,services
vserver lif services firewall-policy
-------- ------------------ --------------------------------------------------- ---------------
SVM_CIFS SVM_CIFS_cifs_lif1 data-core,data-cifs,management-ssh,management-https data


However, if I remove this 'management-ssh' from service-policy

ONTAP96::> network interface modify -vserver SVM_CIFS -lif SVM_CIFS_cifs_lif1 -service-policy default-data-files


I will get Network error : Access denied.


Could you verify the two points I mentioned.

elic_co
5,448 Views

Hey, I was able to figure it out with a little help from a friend as the song says 🙂

It was "system services firewall show"

the firewall was off for nodes 1+2 and on for 3+4

I guess it is because of upgrades from old versions of ontap on nodes 1+2, I also notich these behaviors on other clusters that were upgraded.

I haven't changed it to on yet but i will do it in the next few days and see if it helps

 

thanks a lot for the help

Ontapforrum
5,440 Views

Great, glad to hear that! thanks for the update.

Public