Server inaccessible

Hi, I have installed the ferrumgate with help of Install - FerrumGate in our AWS EC2 instance, once installation finished, I found the server went inaccessible via private IP e.g. (172.31.1.10). Only accessible via Public IP.
I did try two times on fresh machine and same problem. Can you pls help what is the issue and how to make it accessible.

Secondly, I would like setup access using this zero trust policy to SSH other AWS E2 instance and databases. thats also not working.

Please help to solve.

  • Regards, Gopal Chand

Hi, let’s solve first access problem.
on ferrumgate server, please type
netstat -tuplen
this command will show listening ports.
you will show
0.0.0.0:443
::443
0.0.0.0:80
::80
please check them, if ports are listening
If ports are listening,
type on ferrumgate server
curl localhost:80
you will see Found, Redirecting.

if these tests work,
then check your machine firewall etc on aws. also check from other machines if ping works

After solving these problem, I will help to define services.

Hi @HKilic ,
Thanks for reply.
Please find the result as suggested:
$ netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 996 12396 -
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 0 19869 -
tcp 0 0 169.254.254.121:9292 0.0.0.0:* LISTEN 0 16940 -
tcp 0 0 169.254.254.121:7379 0.0.0.0:* LISTEN 0 16171 -
tcp 0 0 169.254.254.121:7380 0.0.0.0:* LISTEN 0 16125 -
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 996 12398 -
tcp 0 0 169.254.254.118:7379 0.0.0.0:* LISTEN 0 16166 -
tcp 0 0 169.254.254.118:7380 0.0.0.0:* LISTEN 0 16120 -
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 996 12384 -
tcp 0 0 169.254.254.118:9292 0.0.0.0:* LISTEN 0 18030 -
tcp 0 0 169.254.254.118:9200 0.0.0.0:* LISTEN 0 14606 -
tcp 0 0 169.254.254.121:9200 0.0.0.0:* LISTEN 0 15470 -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 17130 -
tcp 0 0 169.254.254.121:6379 0.0.0.0:* LISTEN 0 14502 -
tcp 0 0 169.254.254.121:6381 0.0.0.0:* LISTEN 0 14541 -
tcp 0 0 169.254.254.121:6380 0.0.0.0:* LISTEN 0 15430 -
tcp 0 0 169.254.254.118:6379 0.0.0.0:* LISTEN 0 15423 -
tcp 0 0 169.254.254.118:6381 0.0.0.0:* LISTEN 0 14521 -
tcp 0 0 169.254.254.118:6380 0.0.0.0:* LISTEN 0 14499 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 13578 -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 17079 -
tcp6 0 0 :::9999 :::* LISTEN 0 19872 -
tcp6 0 0 :::5355 :::* LISTEN 996 12392 -
tcp6 0 0 :::443 :::* LISTEN 0 17148 -
tcp6 0 0 :::22 :::* LISTEN 0 13580 -
tcp6 0 0 :::80 :::* LISTEN 0 17102 -
udp 0 0 0.0.0.0:9999 0.0.0.0:* 0 19877 -
udp 0 0 127.0.0.54:53 0.0.0.0:* 996 12397 -
udp 0 0 127.0.0.53:53 0.0.0.0:* 996 12395 -
udp 0 0 172.32.2.98:68 0.0.0.0:* 998 12514 -
udp 0 0 0.0.0.0:54320 0.0.0.0:* 0 14302 -
udp 0 0 0.0.0.0:54321 0.0.0.0:* 0 14290 -
udp 0 0 169.254.254.121:9292 0.0.0.0:* 0 17044 -
udp 0 0 169.254.254.118:9292 0.0.0.0:* 0 16986 -
udp 0 0 0.0.0.0:5355 0.0.0.0:* 996 12383 -
udp6 0 0 :::9999 :::* 0 19881 -
udp6 0 0 :::54320 :::* 0 14303 -
udp6 0 0 :::54321 :::* 0 14291 -
udp6 0 0 :::5355 :::* 996 12391 -

admin@ip-172-32-2-98:~$ curl localhost:80
Found. Redirecting to https://localhost/admin@ip-172-32-2-98:~$

Also, as I mentioned before installation, I am able to SSH this server from private IP. and I can see 0 0.0.0.0:22 is LISTEN. But don’t know why not able to SSH in private network.
I am fine with even if server is accessiable from public IP.
As my main problem is not able to connect any other resources using VPN [FerrumGate] connect. even not able to ping default DNS IP 172.28.28.1 after connection.

image

I could not understand why local network is not working.
please try to ping another machine in your network from ferrumgate server

but connecting to ferrumgate server from public internet,
please check on firewal
443/tcp
9999/tcp/udp is allowed (tunnel server)

Hi @HKilic ,

Yes, all given requested ports are allowed. PFB screenshot for your reference.
image

And yes able to connect/ping other server from ferrumgate server.

image

After connecting, client color becomes yellown then green
also please send client logs(there could be some sensitivi data like hostname of ztna). and client status screen

you can delete log files
{“tryCount”:0,“lastTryTime”:1719569500177,“isWorking”:false,“pingErrorCount”:0,“pingTimes”:[],“dnsTimes”:[],“dnsErrorCount”:0,“protocol”:“auto”,“lastError”:“Closed”}}]
[2024-06-28 15:41:55.663] [error] no tunnel created for admin starting new one
[2024-06-28 15:41:56.065] [info] killing process tunnel
[2024-06-28 15:41:56.068] [info] forcing to kill 12068
[2024-06-28 15:41:56.073] [info] process exited
[2024-06-28 15:41:56.267] [error] Command failed: taskkill.exe /F /PID 12068
ERROR: The process “12068” not found.

[2024-06-28 15:41:56.350] [info] executing process command quic
[2024-06-28 15:41:56.354] [info] executing process command “C:\Program Files\FerrumGate\app-1.9.0\resources\app\service\win32\quic_ferrum.exe” --insecure --loglevel info --host yourhost.com:9999
[2024-06-28 15:41:56.359] [info] process started with pid: 23316
[2024-06-28 15:41:56.411] [info] version: 1.1.0

[2024-06-28 15:41:56.531] [info] ferrum_pid:23316

[2024-06-28 15:41:56.536] [info] e[2m2024-06-28T10:11:56.531775Ze[0m e[32m INFOe[0m e[2mcliente[0me[2m:e[0m connecting to [2606:4700:8de9:28c7:3264:0:fa7e:e31a]:9999

your host resolves to ipv6. it is not working. please use ipv4

Hi @HKilic ,

You mean use ipv4 in client machine. What if we need ipv4 and ipv6 both to be work?

Yes dns resoultion should be ipv4, don’t resolve ipv6 address, then your client should work. AWS normaly gives ipv4 address, you should use it,we did not test IPV6 yet, make server address ipv4, it should work

Hi @HKilic , Now I am on ipv4 network and still same issue. Please find the below screenshots and logs for your reference.

![image
Logs:

I checked your ip,
443 port is accessible.
but 9999 is not accessible,
check get info from 443
nc yourip 443
get /
HTTP/1.1 400 Bad Request
Server: cloudflare
Date: Sat, 29 Jun 2024 07:22:33 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -

400 Bad Request

400 Bad Request


cloudflare

as you see, server is cloudflare, probably this ip is behind of cloudflare
please check it

Hi @HKilic ,
I have removed the cloudflare restiction. But now getting below error when connecting.

image

please send log file

PFB
https://drive.google.com/file/d/1UOXtxD81ckS/view?usp=sharing

setting ip address fails
Command failed: cmd.exe /c netsh interface ipv4 set address “ferrumTqioVCv2” static 100.64.0.31 255.255.255.255

there is a windows service called ferrumgate, please check it works
and do you have any endpoint program?

Hi, Windows service status showing running…
image

and do you have any endpoint program? → You mean Antivirus program? We have Bitdenfender Endpoint Security. I have checked, there is no blockage on this AV side.

Please test it without antivirus and endpoint security

Okay, as suggested… Now I tried in Ubuntu Desktop machine.
Now successfully connected and able to ping Service Assigned IP. But not able to connect SSH/telnet service I have created.

PFA Logs: ferrumgate.zip - Google Drive

Ping 172.32.5.79 from ferrumgate server
If it works
Then add a rule under Policies/Authorization to your service and user/group

Hi, Yes, ping and ssh is working from server.
And policy also available.