johnnyt Posted February 26, 2022 Posted February 26, 2022 Trying to SSH into my Polisy at 192.168.200.249 but keep getting "Connection closed by 192.168.200.249" ssh admin@192.168.200.249 The authenticity of host '192.168.200.249 (192.168.200.249)' can't be established. RSA key fingerprint is SHA256:7zYnlSpxx6z0t884lR5vNYfelxewzWwu8N1X6v+wsZA. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.200.249' (RSA) to the list of known hosts. Connection closed by 192.168.200.249 port 22 ssh admin@192.168.200.249 Connection closed by 192.168.200.249 port 22 ssh admin@192.168.200.249 Connection closed by 192.168.200.249 port 22 I will say that my ISY and Polisy are on their own VLAN but I have a rule that allows the PC I'm using to have full access to that VLAN and am not having any problems accessing either via browser, although I did have to manually add ISY to ISY Finder. As well, based on the initial message, it does look like SSH is getting to the Polisy. It's just that once there it's getting the door shut in its face... Any help would be appreciated
Geddy Posted February 26, 2022 Posted February 26, 2022 @johnnyt Not 100% sure of VLAN, but is there some sort of firewall blocking port 22 connection? Are you on Windows using built in SSH? Have you tried PUTTY? Any different results?
johnnyt Posted February 26, 2022 Author Posted February 26, 2022 2 hours ago, Geddy said: @johnnyt Not 100% sure of VLAN, but is there some sort of firewall blocking port 22 connection? Are you on Windows using built in SSH? Have you tried PUTTY? Any different results? Windows firewall is off for private network and router/fw is configured to allow all traffic from my main subnet to that VLAN. I did try putty (before command line, actually) and, similar to command line, it connects but then rejects the connection after I enter userid. See screenshot.
Geddy Posted February 27, 2022 Posted February 27, 2022 @johnnyt Very strange. I haven't had much experience with SSH and zero experience with VLAN so can't help beyond the Putty option. I think you should open a ticket with UDI Support and see if they can troubleshoot something specific to your setup. Otherwise, is there anyway to get a computer on the same subnet/VLAN to try cutting possible traffic steps out of the equation. Submit a Ticket: https://www.universal-devices.com/my-tickets Email: support@universal-devices.com Be sure to post the steps you go through if/when they get you up and running to possibly help others that might come across this issue in the future!
johnnyt Posted February 27, 2022 Author Posted February 27, 2022 I was able to connect and do stuff by plugging a laptop into same switch/VLAN subnet so it appears my fw rule isn't working as expected. I don't understand because SSH is explicitly allowed, plus I have a rule to allow "Any" traffic from LAN to the VLAN - AND I can get to the polisy, e.g. ping and https work and I do get login prompt when I ssh. Anyway, looking like it's probably not a polisy issue. Interestingly on a die note, I also can't get Polisy to come up in ISY Finder, even when I try to add it from the same subnet... but that's for another thread (and maybe a UDI support ticket)... 1
Geddy Posted February 27, 2022 Posted February 27, 2022 @johnnyt Glad you were able to access it when on the same subnet. Sure seems like something is blocking SSH traffic between your VLANs. 1 hour ago, johnnyt said: I also can't get Polisy to come up in ISY Finder, even when I try to add it from the same subnet... but that's for another thread (and maybe a UDI support ticket).. Interesting. Make sure you check out the troubleshooting steps in the Polisy User Guide in the Wiki. If you're still able to access the Polisy vis SSH run the following command and report the result: sudo uname -a Just checking that you've got a recent update.
MrBill Posted February 28, 2022 Posted February 28, 2022 18 hours ago, johnnyt said: I don't understand because SSH is explicitly allowed, plus I have a rule to allow "Any" traffic from LAN to the VLAN - AND I can get to the polisy, it sounds like you need a rule for traffic in the opposite direction as well.
johnnyt Posted March 1, 2022 Author Posted March 1, 2022 9 hours ago, MrBill said: it sounds like you need a rule for traffic in the opposite direction as well. So the way to do this securely - which is why I'm using VLANs - is for the more secure devices on my LAN to be able to make a call out to my separate VLAN for IOT devices - better known as Internet of Insecure Things - but not allowing my 8 year-old-no-longer-being-updated-smart-TV and other IOT devices with notoriously weak security like cameras from reaching (and perhaps infecting) PC's on my main LAN. Usually a call out, such as HTTP, FTP, SSH, etc. provides a return channel to the caller. This is why you don't need (or want) to have WAN firewall rules that allow traffic in the "opposite direction", i.e. being initiated FROM the internet. From a firewall rule perspective I treat my IOIT VLAN like I do the WAN.
johnnyt Posted March 1, 2022 Author Posted March 1, 2022 (edited) On 2/27/2022 at 5:59 PM, Geddy said: @johnnyt Glad you were able to access it when on the same subnet. Sure seems like something is blocking SSH traffic between your VLANs. Interesting. Make sure you check out the troubleshooting steps in the Polisy User Guide in the Wiki. If you're still able to access the Polisy vis SSH run the following command and report the result: sudo uname -a Just checking that you've got a recent update. Yes, I went through the guide and tried adding all the following to the ISY Launcher (from same subnet/VLAN) with no luck: http://192.168.200.249:8080/desc http://192.168.200.249/desc http://192.168.200.249 https://192.168.200.249:8443/desc https://192.168.200.249/desc https://192.168.200.249 uname -a shows my Polisy is running FreeBSD 11.3. Before I SSH'ed into it, I did "check for polisy updates" and it reported having 88 updates so I did "update polisy". Is that all I need to do, or is there stuff that can only be updated using SSH/command line? Edited March 1, 2022 by johnnyt
Geddy Posted March 2, 2022 Posted March 2, 2022 @johnnyt That version is quite old and should be updated. You might need to open a support ticket to get you updated completely. I'm not sure if the SSH commands that have been mentioned recently would work for v11 or designed specifically for v12, but the FreeBSD should be at 13 now. (I currently have 13.0-Release-p6) The Wiki has the commands to try. See if you run them if you get up to the latest release. https://wiki.universal-devices.com/index.php?title=Polisy:User_Guide#Polisy_OS_Versions_Below_13
johnnyt Posted March 2, 2022 Author Posted March 2, 2022 (edited) yes, I noticed that. will do manual update. I tried pushing the reset button on front of my polisy but I guess I bought one too early because that did nothing. sigh I'm still trying to get SSH to work from my PC so I can do the update from comfort of my big chair instead hacking my laptop into switch with ISY/Polisy on it. I did a packet capture on SSH port 22 and can see that traffic is being forwarded from my PC to polisy and a response is coming back (nothing is "dropped") but I still get' 'connection refused' from polisy. I think I need to log a support ticket, unless someone detects something from the screenshot and packet capture attached. packet-c.pcap Edited March 2, 2022 by johnnyt
MrBill Posted March 3, 2022 Posted March 3, 2022 (edited) 15 hours ago, johnnyt said: I tried pushing the reset button on front of my polisy but I guess I bought one too early because that did nothing. sigh Once you're up to date, that will work in the future... the functionality is one of the manual updates. 15 hours ago, johnnyt said: I think I need to log a support ticket, unless someone detects something from the screenshot and packet capture attached. I would highly recommend that... support will get you fixed and upgraded fast. UDI's support is amazing, and unmatched anywhere. They answer tickets fast and get you back on track quickly. Edited March 3, 2022 by MrBill 1
johnnyt Posted March 5, 2022 Author Posted March 5, 2022 so I made a typo in reporting my version of FreeBSD. I was at 13.0 RELEASE p3. I mixed things up with my FreeNAS version, which is 11.3. Oops So by connecting on the same switch (same VLAN 200) as my Polisy I did the upgrade and am now at 13-p6 and can see my polisy and login to IoP from ISY Launcher Also, when I SSH from my main LAN (aka VLAN 1), I get the message in the attached screenshot before the connection is closed. So I think this is what was closing the connection but without saying so. Anyway, I've opened a support ticket with UDI so am getting the great service they provide and expect to get to the bottom of this soon.
Recommended Posts