Administrative Access (https, ssh) from remote Subnet not possible (Cisco SF500-24), ping works

Dominik_Batozynski · ‎04-30-2015

Dear Cisco Support Community,

I've recently implemented a Cisco SF500-24 switch at customer's site. Now there is a simple, but disturbing problem: I can't manage the switch via https / ssh when coming from a remote subnet (separted by a firewall). Only when connecting my client directly to the switch, management is possible.

These are the troubleshooting steps I'v done:

-Ping to the switch from remote subnet (Result: OK)

-Check Firewall Log fur https/ssh (Result: https / ssh traffic allowed through firewall, data was sent through policy, but no data (answer) recieved)

-Check Firewall Log fur ICMP (Result: ICMP traffic allowed through firewall, data was sent through policy, also data (answer) was recieved through policy)

-> 1st conclusion: Routing is fine

-> 2nd conclusion: Firewall policies are fine

-> 3rd conclusion: Https / ssh request arrives at switch, but switch does not respond

Next troubleshooting steps:

-Adding a new access profile on the switch with the following parameter:

-Access Profile Name: All

-Rule Priority: 1

-Management Method: All

-Action: Permit

-Applies to Interface: All

-Applies to Source-IP Address. All

-Changing the active access profile to the following: "All"

-> Result: No changes!

Next troubleshooting step:

Firmware Upgrade from 1.2.0.97 to 1.3.7.18, then to 1.4.0.88 (latest)

-> Result: No changes!

Next troubleshooting step:

-Activating source-NAT on firewall policies (-> switch receives requests with source IP-Address of the firewalls destination interface address, which is on same subnet like the switch)

-> Result: No Changes!

I'm pretty new to the cisco small business products. Any ideas / troubleshooting suggestions? Is there a way to see non-responded https requests in the log?

Any help is highly appreciate!

Regards,

Dominik

Dan Miley · ‎04-30-2015

verify the subnet mask and defautlt gateway are set on the switch are pointing to the firewall

are there any deny or nat error messages in your firewall?

You may also need to set the switches Administrative Default Gateway (L2) or a default route (L3) if you are attempting to SSH or telnet from subnet/VLAN other than the one the switch’s IP is in.

 L2: Administration >> Management Interface >> IPv4 Interface >> Set Admin Default Gateway to user-defined and fill in

 L3: Set a default route (0.0.0.0 0.0.0.0) under IP Configuration >> IPv4 Management and Interface >> IPv4 Routes

CLI to set default routes

L2:

switchafe7a4(config)#ip default-gateway <gw ip address>

L3:

switchafe7a4(config)#ip route 0.0.0.0 0.0.0.0 <gw ip address>

hope this helps, please flag helpful posts.

Dan

but no data (answer) recieved)

Dominik_Batozynski · ‎04-30-2015

Hello Dan,

at first thanks for your quick response.

To your questions:

-The switch is operating in layer 3 mode, default route is set and pointing to IP address of the Firewall as the gateway address.

-There are no deny messages in the firewall log (while violation traffic being logged); as it is a stateful inspection firewall, answers are allowed by the policy which allowed the initial https request from the remote subnet to the switch subnet

-There are no nat error messages in the firewall log

-The status for for the allowed https / ssh request is "timeout" which indicates that the switch does not respond

-Please beware that ping from remote subnet to switch subnet is successful

Regards,

Dominik