SSH listener on VRF interface will not work

Bugs
, , ,
1

Board,

While working with the new vrf build (which are amazing) I found that when configuring an ssh service on a VRF’d interface I am handed an error.

"Job for ssh.service failed because the control process exited with error code. See “systemctl status ssh.service” and “journalctl -xe” for details.

When this config is removed and ssh is enabled on an address or interface that is not configured vrf, error is cleared.

Thanks,

db

Screen Shot 2020-04-21 at 9.59.53 AM
Screen Shot 2020-04-21 at 9.59.53 AM1323×213 146 KB

2

Hello, sorry to hear that you are hitting an issue ! Could you please share with us how you setup your machine (ie: the content of “show configuration commands”) so we can try to replicate and understand what is going on please ?

3

Hi,

have hit the same error with VRFs - basic concept of having a seperated “management plane” vrf with a seperate routing table and default route… In my case (not sure it’s the same as what dbenson experienced) steps to reproduce are:

  1. Start with a fresh vyos installation

  2. Add the below config in a configure session:
    set vrf name mgmt description ‘Management VRF’
    set vrf name mgmt table ‘100’
    set interfaces ethernet eth0 address ‘192.168.1.2/24’
    set interfaces ethernet eth0 description ‘Management Interface’
    set interfaces ethernet eth0 vrf ‘mgmt’
    set protocols vrf mgmt static route 0.0.0.0/0 next-hop 192.168.1.1
    set service ssh listen-address 192.168.1.2

  3. Tried to commit, errors with:
    [ service ssh ]
    Job for ssh.service failed because the control process exited with error code.
    See “systemctl status ssh.service” and “journalctl -xe” for details.

  4. Took a look at the journal for the ssh unit (journalctl -xe -u ssh.service) to see:
    May 03 21:14:19 vyosvpn02 sshd[9990]: error: Bind to port 22 on 192.168.1.2 failed: Cannot assign requested address.
    May 03 21:14:19 vyosvpn02 sshd[9990]: fatal: Cannot bind any address.
    May 03 21:14:19 vyosvpn02 systemd[1]: ssh.service: Main process exited, code=exited, status=255/EXCEPTION
    – Subject: Unit process exited
    – Defined-By: systemd
    – Support: Debian -- User Support

    – An ExecStart= process belonging to unit ssh.service has exited.

    – The process’ exit code is ‘exited’ and its exit status is 255.

adding the “set vrf bind-to-all” config doesn’t make a difference for the behavior with listen-address specified.

I’ve reverted to NOT specifying a listen address for ssh for now, but have the set vrf bind-to-all, otherwise can’t reach ssh on the management vrf (which is expected I assume?).

The above was tested on:
Version: VyOS 1.3-rolling-202004191932

Regards,
pptak

4

Looks like this was resolved in VyOS 1.4-rolling-202103230217 (with T2321)

I am able to ssh into the Management VRF interface and have the following config:

set vrf name MGMT description ‘MGMT_VRF’
set vrf name MGMT protocols static route 0.0.0.0/0 next-hop X.X.X.X
set vrf name MGMT table ‘100’
!
set interfaces ethernet eth2 address ‘dhcp’
set interfaces ethernet eth2 description ‘MGMT’
set interfaces ethernet eth2 vrf ‘MGMT’
!
set service ssh vrf ‘MGMT’

5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.