From: David Proffitt (david.proffitt@itn.co.uk)
Date: Thu Jan 11 2007 - 08:34:04 EST
Hello
I have a problem with a Netra T1 running Solaris 9 that has recently
been moved to a new remote location and been given a new ip address
Since the move some (but not all) of the hosts that could previously
connect to it can no longer do so (this seems to affect all protocols
but I have been using ssh for testing). I have been trying connections
from 2 identical linux servers on the same subnet (as each other) only
one of which can connect to the server
The server is behind a (Juniper NetScreen) firewall which is not under
my control although I am assured that the subnet that the test clients
are on is allowed through (and I know it works for one of the clients)
There is also a linux server at the new location which none of the
clients have any problems connecting to (and which can connect to the
Netra)
I tried running snoop on the Netra and tcpdump on the affected client
then attempting an ssh connection:
On the client I see only Syn packets leaving for the server
On the server I see the Syn packets arriving and Syn Ack and Ack packets
leaving
The test client's ip addresses are both in /etc/hosts.allow and the
AllowUsers line in sshd_config isn't tied by address
I'm not seeing any errors in the sshd log
I'm not sure whether the fact that I see Syn Ack packets leaving the
interface means that the connection is making it all the way up the
stack to the OS level and being blocked there or whether I would still
see the beginings of the TCP handshake in any case or whether the fact
that these packets are getting as far as leaving the interface means I
should suspect the firewall is blocking them on the way back out?
I'm also confused why this is affecting connections from some clients
and not others
Any thoughts appreciated
David
DAVID PROFFITT
SYSTEMS ADMINISTRATOR
200 GRAY'S INN ROAD
LONDON
WC1X 8XZ
UNITED KINGDOM
T +44 (0)20 7430 4705
F
E DAVID.PROFFITT@ITN.CO.UK
WWW.ITN.CO.UK
Please Note:
Any views or opinions are solely those of the author and do not necessarily
represent
those of Independent Television News Limited unless specifically stated.
This email and any files attached are confidential and intended solely for the
use of the individual
or entity to which they are addressed.
If you have received this email in error, please notify postmaster@itn.co.uk
Please note that to ensure regulatory compliance and for the protection of our
clients and business,
we may monitor and read messages sent to and from our systems.
Thank You.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:27 EDT