Ubuntu 18.04：无法从我的Cisco路由器SSH进入服务器的VLAN接口

Question

我最近在相对较新的Ubuntu 18.04服务器上配置了VLAN接口，该服务器具有两个物理接口：eno1和eno2。我已经使用netplan实用程序配置了它们。

我的目标很简单：能够从网关（一对运行HSRP的Cisco ASR 1006）进行SSH。换句话说，我只是试图在同一局域网内的主机之间进行SSH传输。我已经尽力想解决此问题。这里有一些注意事项：

• SSH从Ubuntu的VLAN接口到网关都可以工作
• SSH从Cisco ASR到服务器物理接口的IP地址工作
• SSH从Cisco ASR到服务器上VLAN接口的IP地址不不起作用
• 从Cisco ASR端捕获的数据包显示SSH请求已发送到服务器，但是服务器未响应，因此TCP重传在ASR放弃之前已经消失了几次。
• 从Ubuntu服务器捕获的数据包显示了相同的内容。尝试通过SSH（ASR 1006）从主机进入TCP端口22，但服务器没有响应，因此下一步将进行TCP重传。
• 我已经重新安装了open-ssh服务器，重新启动，重新启动了服务，明确指定了sshd来监听10.255.255.12，依此类推，等等。
• 普通主机（使用PuTTY的Win 8.1）可以通过SSH进入服务器的VLAN接口。

问题：Cisco ASR无法通过SSH进入服务器的VLAN接口。

VLAN 999和3001分别包含一个私有IP和一个CGN IP：

  

/etc/netplan/50-cloud-init.yaml的内容

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        eno1:
            addresses:
            - <my public IP>/28
            gateway4: <my gateway>
            nameservers:
                addresses:
                - 8.8.8.8
                - 8.8.4.4
        eno2:
            dhcp4: true
        enp10s0f0:
            dhcp4: true
        enp10s0f1:
            dhcp4: true
    version: 2

    vlans:
        vlan.3001:
            id: 3001
            link: eno2
            addresses: [10.255.255.12/29]
        vlan.999:
            id: 999
            link: eno2
            addresses: [100.78.32.240/24]

  

/ etc / ssh / sshd_config的内容

#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
ListenAddress <my public ip>
ListenAddress 10.255.255.12
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp  /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
PasswordAuthentication yes

sshd服务显然正在侦听专用IP接口，但仍然不会响应来自包装盒本身的任何内容的ssh请求：

~$ sudo netstat -tulpn | grep :22
tcp        0      0 <my public IP>:22       0.0.0.0:*               LISTEN      3956/sshd           
tcp        0      0 10.255.255.12:22        0.0.0.0:*               LISTEN      3956/sshd    

请注意，这来自服务器本身：

$ ssh 10.255.255.12
<my username>@10.255.255.12's password:

请注意，这来自Cisco ASR（-l标志只是要使用的用户名）：

ASR1006#ssh -l user <my public IP>
Password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-72-generic x86_64)

user@ubuntu-server:~$ exit
logout


[Connection to <my public IP> closed by foreign host]
ASR1006#ssh -l user 100.78.32.240
% Connection timed out; remote host not responding


ASR1006#ssh -l user 10.255.255.12
% Connection timed out; remote host not responding

您可以看到在通过SSH连接到与服务器的物理接口eno1相关的公共IP地址时已建立连接。

故障排除的最后一部分涉及到连接普通主机-使用PuTTY的Windows 8.1，并将其放在10.255.255.8/29子网中。 Windows主机可以通过SSH进入服务器的vlan.3001界面。

这是一个独特的问题，我对任何人都能提供帮助都不感到乐观。因为问题可能出在思科方面，所以我可以与思科一起开TAC案，但我想从这里开始。