SSH Tunnel with vSZ

  • 1
  • Question
  • Updated 4 months ago
I’m running the latest version of vSZ-H (3.6) in the lab with a couple of R500 access points, which are connected via a (IPv6) router. There is no firewall. Both firmware images on both access points are version 3.6.1.0.354.

One of the access points can no longer establish an SSH tunnel with the vSZ, while the other can. Wireshark shows the (first) access point sending a TLS client hello to the vSZ, the vSZ replying with a TLS server hello, certificate, certificate request, and server hello done and then nothing until the access point sends a TCP reset and the process starts again.

However, when I connect the access point to the same subnet as the vSZ, the problem disappears.

Does anyone know what the problem is?
Photo of Andrew Hamilton

Andrew Hamilton

  • 6 Posts
  • 0 Reply Likes
  • fed up

Posted 4 months ago

  • 1
Photo of Vivek Gupta

Vivek Gupta, Employee

  • 14 Posts
  • 4 Reply Likes
Hi Andrew,

In the non working scenario, do you see the AP in the Staging zone. Initially the AP sends a HTTPS request to the controller and once you approve the AP in the staging zone, the SSH tunnel gets created. As the client hello and server hello are exchanged, I am assuming that the AP is present in the staging zone. Please let me know if this is the case.

Regards,
Vivek 
Photo of Andrew Hamilton

Andrew Hamilton

  • 6 Posts
  • 0 Reply Likes
Vivek,
I've followed up your comment and found that the origin of the problem is that the R500 access point tries to establish an SSH tunnel to the vSZ after booting. However, if the vSZ is down, after about 5 minutes it reverts to trying to establish an HTTPS connection. Once this has happened, it won't try to establish an SSH connection to the vSZ any more, even if it is rebooted (i.e. it becomes stuck on HTTPS).
Unfortunately, the HTTPS connection fails (as described in my previous post) over an (IPv6) routed connection. You have to fall back to a bridged connection to get it working again.
It would seem that this could, in effect, brick all your (remote) access points.
Andrew
Photo of Andrew Hamilton

Andrew Hamilton

  • 6 Posts
  • 0 Reply Likes
Vivek,

Thanks for responding.

No, both access points are in a zone separate from the staging zone.

Of course, they both started in the staging zone. Once I approved them, I moved them into the other zone.

Andrew
Photo of Jeronimo

Jeronimo

  • 244 Posts
  • 26 Reply Likes
Try to type as "no-cert-check" on SSH of vSZ.
Photo of Andrew Hamilton

Andrew Hamilton

  • 6 Posts
  • 0 Reply Likes
Jeronimo,

That command is not available on the vSZ-H CLI.

Andrew