After adjusting the default ports for firewall SSH and web at a certain site, login failed and the page became unresponsive.
- 0 Followed
- 0Collected ,5626Browsed
Network Topology
Networking not involved device management address is public network address
Problem Description
The device is managed through a public network address. For security reasons, the default ports for web and SSH management were modified on-site. After the modification, it was found that the web page opens sluggishly and SSH login times out.
Process Analysis
1. First, log in to the device via console and troubleshoot the traffic causing login lag (using methods like debug sessions), acknowledge that packets are dropped by the firewall.
2. Check SSH and IP HTTP configurations, no anomalies found.
3. Service traffic is normal, transit traffic shows no packet loss. Further investigate if there is packet loss on the control plane (CP), and observe a significant increase in default protocol packet drop counts.
[H3C-probe]dis system internal control-plane statistics slot 2 cpu 1
Control plane slot 2 cpu 1
Protocol: Default
Bandwidth: 1000 (pps)
Forwarded: 1210012754 (Packets), 171957391752 (Bytes)
Dropped : 3691114653 (Packets), 535188841706 (Bytes)
The default ports for ssh/http/https have been modified, causing the corresponding management traffic to be identified as other protocols after reaching the firewall. Since the traffic accessing the firewall itself belongs to control plane (CP) packets, the device has a default rate-limiting policy, with separate bandwidth allocated for common protocols such as icmp, ssh, and http. After changing the default port for ssh, the traffic was identified as another protocol and matched the bandwidth for the default protocol. Due to the exposure of the management address on the public network, there may be a large volume of irrelevant packets accessing it, leading to CPU control plane (CP) rate-limiting and packet loss.
Solution
It is not recommended to access via the public network.
If public network access is necessary, you can configure a loopback interface, then set up NAT server on the public network port, and map a non-well-known port of the public network port to port 22 of the loopback interface. The SSH server port remains the default 22, which also avoids COPP rate limiting.
Additionally, map port 22 of the public network port to any unreachable address + port, so port 22 remains inaccessible from the public network side.