Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The Tech Support Tunnel

   When you contact Cisco IronPort customer support for assistance with an issue related to your appliance the support engineer may request that you open a support tunnel.  This is one of many tools that can help the support engineer assist you in diagnosing and possibly correcting a problem with your appliance. The support tunnel is a secure tunnel created using ssh. There are a variety of ports that can be used for this process however port 25 is chosen by default.  Cisco IronPort Customer Support can not establish the support tunnel with out intervention from the appliance. When the Support tunnel is active , you will see the word 'Service' at the command prompt in the CLI interface. When the support tunnel is active you will not be able to see session (screen) that the support engineer is using. While it is possible to access the GUI using some additional techniques the support tunnel initially allows the support engineer access to the CLI and this is the preferred method for initial contact with the appliance.

   This process is the same across all IronPort appliances however we do find in some cases that some customers restrict access to SMA (M series) appliances since they typically do not have any need to connect outside of the customers infrastructure.  If this is the case it may still be possible to open a tech support tunnel on the M series and one of your ESA appliances. The support engineer can typically connect to the ESA first and then simply ssh over to the M series appliance using the support tunnel.

   It's important to note that the tech support tunnel will remain open until it is either closed by the customer or by the support engineer.  Its typically a good idea to close the tunnel when all work has been completed.

   Below is some additional information on how to establish a tech support tunnel, how they work and what ports can be used to establish the support tunnel.

   Techsupport tunnels are secure ssh connections made from an IronPort  appliance to a bastion host at IronPort headquarters. Tunnels allow  Customer Support and Applications Engineers to analyse a running system  and effect repairs.

  1. Establishing a techsupport tunnel from the CLI:
    • To establish a tunnel connect to the command line interface as "admin" and run the "techsupport" command then choose "tunnel".  Follow the dialogue. When enabling a tunnel the user must invent a  temporary password and provide this to their Customer Support Engineer.  This password is not used directly, but as salt to generate a machine  specific password.
  2. Establishing a tunnel from the Admin GUI:
    • Tunnels  may also be established through the web interface.  Go to "System  Administration" on the top menu then "Remote Access" on the left menu.   Ensure that both "Allow remote access to this appliance" and "Initiate  connection via secure tunnel" are ticked before submitting the form.
  3. Any firewall must be configured to allow outbound connections to  If your firewall has SMTP protocol inspection enabled the tunnel will  not establish.  In these situations specify an alternative port.  Choose  the most suitable to you of 22, 53, 80, 443 or 4766. Port 25 is used as  the default destination port.
  4. An initial test of connectivity through your firewall can be made as follows:> telnet 25
    Connected to
    Escape character is '^]'.
    SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924

How does the SSH Support Tunnel Work?

   The  Support Tunnel works through most firewalls without modification. When  the tunnel connection initiates, the IronPort device makes a SSH  connection from a random high source port to the specified port on,

The ports that are  available on IronPort's secured tunnel server are 22, 25, 53, 80, 443,  & 4766.  Because the connection is made to the hostname, rather than  a hard-coded IP, working DNS is required to establish the tunnel.

   Some  protocol-aware devices will block the connection due to the  protocol/port mismatch and some SMTP-aware devices will interrupt the  connection. In cases where there are protocol-aware devices or outgoing  connections are blocked, a port other than the default of 25 may need to  be used.  Access to the remote end of the tunnel is restricted to the  just the IronPort Customer Support and Applications Engineers. When  somebody is connected to the tunnel the system prompt on the IronPort  device includes "(SERVICE)"

  1. Tunnels will automatically try to re-establish themselves. For  example if there is a network outage or the IronPort appliance is  rebooted.
  2. When the tunnel is no longer required it can be disabled by running "techsupport" and choosing the "disable" option.

Starting the support tunnel from the CLI.> techsupport

Service Access currently disabled.
Serial Number: 0012345655E240-1232121

Choose the operation you want to perform:

- SSHACCESS - Allow an IronPort customer service representative to remotely access your
system, without establishing a tunnel.
- TUNNEL - Allow an IronPort customer service representative to remotely access your
system, and establish a secure tunnel for communication.
- STATUS - Display the current techsupport status.

[]> tunnel

Enter a temporary password for customer support to use. This password will not be able to
be used to directly access your system.
- the password must be between 6 and 128 characters long;
- it cannot be blank or consist only of spaces;
- it must be different from the administrator's password.

[]> supportpassword

Enter the port number for tunnel connection:

[25]> 25

Are you sure you want to enable service access? [N]> y

Service access has been ENABLED. Please provide your temporary password to your Cisco IronPort Customer Support representative.
Waiting for ssh tunnel to connect, Ctrl-C to cancel...

If you have any additional questions about the support tunnels you contact customer support and we will happy to assist you.

Christopher C Smith


Cisco IronPort Customer Support

Version history
Revision #:
1 of 1
Last update:
‎01-29-2011 08:46 PM
Updated by:
Labels (1)