Symptom
Customer has an ACL configured for the VTY lines using the access-class command.
All incoming SSH requests seem to be getting matched and permitted by the acl entry with "established" keyword and not just the connections with ack bit set. It appears that the established keyword is not working.
Conditions
VTY ACL with "permit tcp any any established" configured at the be beginning of the ACL with no specific deny statements prior to it.
Workaround
Remove ACL statement with established keyword.
Further Problem Description
Lab recreate:-
ACL config:
# sh access-lists
IP access list mgmt_access
statistics per-entry
10 remark Established
20 permit tcp any any established [match=28] ==> All matches seen against this ACE even for new connections.
30 remark ICMP
40 permit icmp any any [match=0]
200 remark SSH Access
210 permit tcp 10.154.21.0/22 any eq 22 [match=0]
Ethanalyser capture:
2014-04-07 21:39:23.120326 172.21.209.30 -> 172.21.208.137 TCP 58692 > ssh [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
2014-04-07 21:39:23.120696 172.21.208.137 -> 172.21.209.30 TCP ssh > 58692 [SYN, ACK] Seq=0 Ack=1 Win=18420 Len=0 MSS=1460
2014-04-07 21:39:23.121319 172.21.209.30 -> 172.21.208.137 TCP 58692 > ssh [ACK] Seq=1 Ack=1 Win=64240 Len=0
2014-04-07 22:04:24.579472 172.21.209.45 -> 172.21.208.137 TCP 59950 > ssh [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
2014-04-07 22:04:24.579841 172.21.208.137 -> 172.21.209.45 TCP ssh > 59950 [SYN, ACK] Seq=0 Ack=1 Win=18420 Len=0 MSS=1460
2014-04-07 22:04:24.580051 172.21.209.45 -> 172.21.208.137 TCP 59950 > ssh [ACK] Seq=1 Ack=1 Win=64240 Len=0
