Solved: Issue with SSH to nas Vserver

elic_co · ‎2019-11-24

Hey,

I have a cluster consisting of 4 nodes, two "long existing" FAS9000 and 2 recently added A200.

All nodes are running 9.5P8.

Now I have a NAS vserver providing CIFS & NFS services.

The vserver has 1 mgmt ip with data role and none data-protocols, and 4 data ips (one on each node) with cifs and nfs data-protocols and data firewall policy.

the issue is that the ips that reside on nodes 1&2 are reachable through ssh although ssh is not permitted in the firewall policy.

lifes 3&4 that are newer and reside on the A200 (created after 1&2) are not reachable through ssh and the configuration for all the lifs seem to be identical.

I tried to bring lifs 1&2 down for a few seconds and then up and also change their firewall policy to mgmt and then back to data but it didn't help.

Does anyone have an idea why this might happen and how to resolve this?

Thanks!

elic_co · ‎2019-11-26

Hey, I was able to figure it out with a little help from a friend as the song says 🙂

It was "system services firewall show"

the firewall was off for nodes 1+2 and on for 3+4

I guess it is because of upgrades from old versions of ontap on nodes 1+2, I also notich these behaviors on other clusters that were upgraded.

I haven't changed it to on yet but i will do it in the next few days and see if it helps

thanks a lot for the help

View solution in original post

Ontapforrum · ‎2019-11-24

Hi,

Could you share this output:

::> system services firewall policy show
::> network interface show -fields firewall-policy,lif,address

Note:firewall-policy 'mgmt' applies to both node-mgmt & cluster-mgmt.

elic_co · ‎2019-11-25

Thanks for the help.

system services firewall policy show:

data:

dns 0.0.0.0/0

ndmp 0.0.0.0/0

ndmps 0.0.0.0/0

portmap 0.0.0.0/0

mgmt:

dns 0.0.0.0/0

http 0.0.0.0/0

https 0.0.0.0/0

ndmp 0.0.0.0/0

ndmps 0.0.0.0/0

ntp 0.0.0.0/0

portmap 0.0.0.0/0

snmp 0.0.0.0/0

ssh 0.0.0.0/0

all under allowed tab

net int show -fields firewall-policy,lif,address

vserver lif address firewall-policy

-------------------------------------------------------

vs-nas mgmt x.x.x.a mgmt

vs-nas nas1 x.x.x.b data

vs-nas nas2 x.x.x.c data

vs-nas nas3 x.x.x.d data

vs-nas nas4 x.x.x.e data

Ontapforrum · ‎2019-11-25

Hi,

Thanks for the output.

Looking at the output, looks like there are no restriction from the filer side, all clients are allowed to 'ssh' into cluster-mgnt,node-mgmt and data-lif.

Could you verify the following :

1) Is Windows firewall policy - outbound tcp 22 is denied from where you are trying to ssh?
If so, then you will straight away see - Network error: Access denied.

2) What is the output of the following in your filer:

For example: I am on ONTAP 9.6, if you observe the output below, firewall-policy is 'data' just as in your case, but under services it allows 'management-ssh'. Therefore i am able to ssh to data LIF.

ONTAP96::> network interface show -role data -fields firewall-policy,services
vserver lif services firewall-policy
-------- ------------------ --------------------------------------------------- ---------------
SVM_CIFS SVM_CIFS_cifs_lif1 data-core,data-cifs,management-ssh,management-https data

However, if I remove this 'management-ssh' from service-policy

ONTAP96::> network interface modify -vserver SVM_CIFS -lif SVM_CIFS_cifs_lif1 -service-policy default-data-files

I will get Network error : Access denied.

Could you verify the two points I mentioned.

elic_co · ‎2019-11-26