SSH to edge router port of LAN IP from overlay doesn't work
search cancel

SSH to edge router port of LAN IP from overlay doesn't work

book

Article ID: 370247

calendar_today

Updated On:

Products

VMware VeloCloud SD-WAN

Issue/Introduction

SSH  failed to edge the routed port of a LAN IP from an overlay / from another site

Environment

VMware VeloCloud SD-WAN Edge version 5.0.1.5.

The issue is fixed in 5.2.0.0 and later

Cause

There is a known issue tracked under id 105933.

More details can be found in Release Notes

Resolution

 

Fixed Issue 105933: A user cannot SSH to VMware SD-WAN Edge models 610/610-LTE or 520/540 via a routed interface.

There is no drop rule for duplicate SSH packets which originate via an af-pkt driver used by the affected Edge's OS. Because of this the Edge kernel receives 2 SSH packets: one via the vce1 interface, and another direct SSH packet because of the nature of the driver. This causes the Edge kernel to reply for 2 SSH requests, confusing the SSH client and results in the SSH failure.

For an Edge without a fix for this issue, the user can add an IP table rule to drop the SSH packets received from interfaces other than vce1.

https://docs.vmware.com/en/VMware-SASE/5.2.0/rn/vmware-sase-520-release-notes/index.html

And caused our SSH failure, the software has been fixed on version 5.2.0.

So we verified the version in Lab, version 5.2.0+ could work with SSH

 

Additional Information

Please notice the comment from documents.



https://docs.vmware.com/en/VMware-SASE/5.2.3/rn/vmware-sase-523-release-notes/index.html


https://docs.vmware.com/en/VMware-SASE/5.2.2/rn/vmware-sase-522-release-notes/index.html