Support Center > Search Results > SecureKnowledge Details
SSH DPI compatibility with ssh_version2 service object Technical Level
Symptoms
  • Unable to open an SSH connection to devices behind the gateway after enabling SSH DPI.
  • 'ssh2_code' drop in kernel debug and 'ssh2_code' drop in zdebug + drop output:

    fw_log_drop_ex: Packet proto=6 192.168.10.120:50306 -> 172.16.30.40:22 dropped by fw_post_vm_chain_handler Reason: Handler 'ssh2_code' drop;
Cause
  • Some SSH Clients are not compatible with the ssh_version_2 service object in combination with SSH DPI.
  • The ssh_version_2 service object requires first SSH Key offer from the server.  In this case, the gateway drops the SSH client offer from the client, because it is waiting for the server to respond first. 
  • Some clients send an acknowledgement of the SSH connection requesting a key from the server and the connection works. 

Solution
Note: To view this solution you need to Sign In .