-
Problem report
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
S25-W26/27
-
2
We are trying to create an SSH check, and our zabbix_proxy is configured to use a SourceIP, which should route all SNMP, SSH, and Telnet traffic through that specific interface, as mentioned in the Zabbix documentation. However, during the execution of the SSH test, a tcpdump on the proxy shows that the connection is not going through the correct interface (which explains why it is blocked — this behavior is expected). On the other hand, when the check is configured as Telnet, the connection correctly uses the specified interface.
two interfaces: ens192 and ens224. All traffic such as SNMP, SSH, Telnet, etc., must go through ens224 (via the SourceIP setting in zabbix_proxy.conf).
For example, a Telnet test (using a Zabbix item).
tcpdump dst port 23 and dst IP1 -i ens224
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens224, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:25.635085 IP 1.1.1.1 > (autocom-dns).telnet: Flags [S], seq 4006409273, win 29200, options [mss 1460,sackOK,TS val 1786667522 ecr 0,nop,wscale 7], length 0
15:44:25.644108 IP 1.1.1.1 > (autocom-dns)telnet: Flags [.], ack 1125437853, win 229, length 0
15:44:25.656424 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 13, win 229, length 0
15:44:25.656445 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 0:1, ack 13, win 229, length 1
15:44:25.665426 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 1:12, ack 13, win 229, length 11
15:44:25.674546 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 12:13, ack 28, win 229, length 1
15:44:25.721982 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 13:27, ack 28, win 229, length 14
15:44:25.731022 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 27:28, ack 159, win 237, length 1
15:44:25.739936 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 28:30, ack 166, win 237, length 2
15:44:25.840140 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 30:34, ack 166, win 237, length 4
15:44:25.849155 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 34:36, ack 166, win 237, length 2
15:44:25.912934 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 176, win 237, length 0
15:44:25.972187 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 36:48, ack 176, win 237, length 12
15:44:26.012011 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 48:50, ack 176, win 237, length 2
15:44:26.032035 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 178, win 237, length 0
15:44:26.072036 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 235, win 237, length 0
15:44:26.162328 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 237, win 237, length 0
15:44:26.262255 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 306, win 237, length 0
15:44:26.271996 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 331, win 237, length 0
15:44:26.282110 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 401, win 237, length 0
15:44:26.292011 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 448, win 237, length 0
15:44:26.542128 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 519, win 237, length 0
15:44:26.552037 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 684, win 245, length 0
15:44:26.632121 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 791, win 245, length 0
15:44:26.642015 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 815, win 245, length 0
15:44:26.752063 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 889, win 245, length 0
15:44:26.852348 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 50:60, ack 889, win 245, length 10
15:44:26.872025 IP 1.1.1.1 > (autocom-dns).telnet: Flags [P.], seq 60:62, ack 899, win 245, length 2
15:44:26.902025 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 3483, win 291, length 0
15:44:26.910979 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 5600, win 337, length 0
15:44:27.011893 IP 1.1.1.1 > (autocom-dns).telnet: Flags [F.], seq 62, ack 5600, win 337, length 0
15:44:27.021097 IP 1.1.1.1 > (autocom-dns).telnet: Flags [.], ack 5601, win 337, length 0
With ssh :
tcpdump dst port 22 and dst IP2 -i ens224
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens224, link-type EN10MB (Ethernet), capture size 262144 bytes
empty return and timeout on the interface because blocked by FW
Tcpdump sur la ens192 :
tcpdump dst port 22 and dst IP3 -i ens192
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
15:46:10.144407 IP 2.2.2.2 > (autocom-dns).ssh: Flags [S], seq 1742229737, win 29200, options [mss 1460,sackOK,TS val 845515165 ecr 0,nop,wscale 7], length 0
15:46:11.159956 IP 2.2.2.2 > (autocom-dns).ssh: Flags [S], seq 1742229737, win 29200, options [mss 1460,sackOK,TS val 845516181 ecr 0,nop,wscale 7], length 0
15:46:13.207959 2.2.2.2 > (autocom-dns).ssh: Flags [S], seq 1742229737, win 29200, options [mss 1460,sackOK,TS val 845518229 ecr 0,nop,wscale 7], length 0
15:46:17.239964 IP 2.2.2.2 > (autocom-dns).ssh: Flags [S], seq 1742229737, win 29200, options [mss 1460,sackOK,TS val 845522261 ecr 0,nop,wscale 7], length 0
15:46:25.367961 IP 2.2.2.2 > (autocom-dns).ssh: Flags [S], seq 1742229737, win 29200, options [mss 1460,sackOK,TS val 845530389 ecr 0,nop,wscale 7], length 0
for information, the proxy :
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 3.3.3.3 netmask 255.255.255.128 broadcast 4.4.4.4
ether 00:50:56:99:17:d9 txqueuelen 1000 (Ethernet)
RX packets 8172208 bytes 1925831990 (1.7 GiB)
RX errors 0 dropped 1582 overruns 0 frame 0
TX packets 6472370 bytes 4448451409 (4.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 4.4.4.4 netmask 255.255.255.192 broadcast 5.5.5.5
ether 00:50:56:99:7c:56 txqueuelen 1000 (Ethernet)
RX packets 86417518 bytes 22504552237 (20.9 GiB)
RX errors 0 dropped 377 overruns 0 frame 0
TX packets 86679185 bytes 11355085001 (10.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 6.6.6.6 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 94095190 bytes 13999544931 (13.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 94095190 bytes 13999544931 (13.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 ens192
7.7.7.7 0.0.0.0 255.255.255.128 U 0 0 0 ens192
the SourceIP from the configuration file : 4.4.4.4
- part of
-
ZBXNEXT-6406 Do not require Host Interface for External / Simple Checks
-
- Closed
-
-
ZBXNEXT-8091 Cannot establish SSH session: kex error rsa sha1
-
- Closed
-