Destination net unreachable

Mart · May 18, 2023, 4:22pm

I tried on Windows 11 and on macOS Ventura with client 1.4.0. I’m able to authenticate fine on both and FerrumGate client is green but I can’t ping or resolve any dns.

I get Destination net unreachable when I ping 172.28.28.1 or 172.28.28.2

I tried the example of Google DNS but it doesn’t seem to work.

I also tried unchecking Certificate check because I saw that it couldn’t verify the first certificate in the FerrumGate client log

[error] unable to verify the first certificate

After removing the checkmark I don’t see this error but now I see an error 400 after device posture is
[error] Request failed with status code 400

Am I missing something?

I even tried adding a Device Posture that check for the minimum client version but that doesn’t seem to remove the error 400

HKilic · May 18, 2023, 5:22pm

please remove Device posture check first.
remove client certificate verify

then add
authentication policy for network connection

for dns resolving or other service access
add authorization rule

lets check if works?

HKilic · May 18, 2023, 5:30pm

if error occurs, on server you can follow error codes.

docker ps | grep rest | cut -d’ ’ -f1 | xargs docker logs -f

Mart · May 18, 2023, 6:19pm

I just tried deploying a brand new server at a different location (I was testing with Debian 11 on an AWS EC2 instance) and I get same result. Now I tested on an Hyper-V server. Other than port 80, 443 and 9999 do I need to open any other port remotely?

The icon of Ferrumgate client is always green but no network is showing up in the status. When I check if a tunnel is connected in the dashboard it always reporting no tunnel connected. I do see active sessions but no tunnel.

Also I get same result of info device posture is and an error 400 right after the report of the information sent from the computer :
[2023-05-18 14:15:54.937] [error] Request failed with status code 400
[2023-05-18 14:15:57.166] [info] executing command at worker
[2023-05-18 14:15:57.167] [info] sync network status 2023-05-18T18:15:57.166Z
[2023-05-18 14:15:57.168] [info] sync network status []

I tried entering what you sent me but it doesn’t seem to like the cut command :

cut: the delimiter must be a single character
Try ‘cut --help’ for more information.
“docker logs” requires exactly 1 argument.
See ‘docker logs --help’.

HKilic · May 18, 2023, 6:32pm

opened ports must be 80 443 and 9999.
I think problem is about policy rules.
please send policy authentication and policy authorization

HKilic · May 18, 2023, 6:37pm

for accessing a network,
give permission by authentication rules

for accessing services
give permission by authorization rules

Mart · May 18, 2023, 7:27pm

My account is part of the IT group

HKilic · May 18, 2023, 7:34pm

Please reboot server.
or
ferrumgate --stop
ferrumgate --start

and when testing on server terminal
please follow logs

docker ps | grep rest | cut -d" " -f1 | xargs docker logs -f

Mart · May 18, 2023, 7:41pm

[2023-05-18T19:39:21.640] [WARN] default - captcha settings is empty, please fill it

[2023-05-18T19:39:21.641] [INFO] default - getAccessToken eyJhbG

[2023-05-18T19:39:21.644] [INFO] default - save current user device posture

[2023-05-18T19:39:21.645] [ERROR] default - ErrKeyLengthSmall->Error: length is invalid

at InputService.checkStringLength (/usr/src/app/build/src/service/inputService.js:141:19)

at /usr/src/app/build/src/api/userApi.js:219:24

at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

HKilic · May 18, 2023, 7:58pm

please type on terminal
send id field value

cat “/Users/YOUR_USER/Library/Application Support/ferrumgate/ferrum.json”

Mart · May 18, 2023, 8:06pm

This is the id I get :
“id”:“pWdURQIg”

HKilic · May 18, 2023, 8:35pm

Its length must be 16, I fixed the client.
please download and reinstall again.

Mart · May 19, 2023, 2:46pm

I seem to go further but the connection get closed right after authentication is successful :

[2023-05-19 10:43:19.941] [info] getting networks
[2023-05-19 10:43:19.968] [info] network: {“items”:[{“id”:“NyTW4tsik69eQaxW”,“name”:“default”,“action”:“allow”,“sshHost”:"ztna..com:9999"}]}
[2023-05-19 10:43:19.968] [error] no tunnel created for default starting new one
[2023-05-19 10:43:19.968] [info] current arch is arm64
[2023-05-19 10:43:19.969] [info] starting new tunnel “/Applications/FerrumGate.app/Contents/Resources/app/service/darwin/arm64/ssh_ferrum” -N -F “/Applications/FerrumGate.app/Contents/Resources/app/service/darwin/arm64/ssh_config” -w any -o “StrictHostKeyChecking no” -o “UserKnownHostsFile /dev/null” ferrum@ztna..com -p9999
[2023-05-19 10:43:19.969] [info] executing process command
[2023-05-19 10:43:19.975] [info] worker disconnected
[2023-05-19 10:43:19.978] [info] ipc server closed

(I removed the URL on purpose)

Mart · May 19, 2023, 2:54pm

On Windows I get a different message :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v SearchList\nERROR: The system was unable to find the specified registry key or value.\r\n",“assignedIp”:“100.64.0.7”,“serviceNetwork”:“172.28.28.0/24”,“resolvIp”:“172.28.28.1”,“resolvSearch”:“default.mydomain.zero”,“tun”:“ferrumTnssYx”,“isMasterResolv”:false,“resolvTunDomains”:}}]

HKilic · May 19, 2023, 4:24pm

I think there is a problem about sshHost ,
it looks like ferrum@ztna. .com . please check sshHost from Network section

HKilic · May 19, 2023, 4:28pm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v SearchList\n
did you add device posture check?

HKilic · May 19, 2023, 5:00pm

on windows command line or powershell
please type
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v SearchList

Mart · May 19, 2023, 5:14pm

ERROR: The system was unable to find the specified registry key or value.

Mart · May 19, 2023, 5:20pm

On my Mac I just tried connecting via ssh on port 9999 directly and I can confirm the port is open and answer but when Ferrumgate client connect I always get same error. I tried creating a new network (I deleted the default one) and redid the permissions but same result :

[{“id”:“gz8dVk89Nmr3lNB2”,“name”:“aws”,“action”:“allow”,“sshHost”:“ztna.mydomain.com:9999”}]}
[2023-05-19 13:16:52.521] [error] no tunnel created for aws starting new one
[2023-05-19 13:16:52.521] [info] current arch is arm64
[2023-05-19 13:16:52.521] [info] starting new tunnel “/Applications/FerrumGate.app/Contents/Resources/app/service/darwin/arm64/ssh_ferrum” -N -F “/Applications/FerrumGate.app/Contents/Resources/app/service/darwin/arm64/ssh_config” -w any -o “StrictHostKeyChecking no” -o “UserKnownHostsFile /dev/null” ferrum@ztna.mydomain.com -p9999
[2023-05-19 13:16:52.521] [info] executing process command
[2023-05-19 13:16:52.527] [info] worker disconnected
[2023-05-19 13:16:52.529] [info] ipc server closed

(I replaced my real domain with mydomain)

HKilic · May 19, 2023, 5:31pm

please type on macos terminal
“/Applications/FerrumGate.app/Contents/Resources/app/service/darwin/arm64/ssh_ferrum” -N -F “/Applications/FerrumGate.app/Contents/Resources/app/service/darwin/arm64/ssh_config” -w any -o “StrictHostKeyChecking no” -o “UserKnownHostsFile /dev/null” ferrum@ztna.mydomain.com -p9999