There are instances where SSH either from a specific jump server or the Versa directors fails while the SSH works from other machines
It could be mainly due to the failed SSH attempts to the appliance management IP from the problematic jump server or versa director.
There is a special service running on each Versa flexvnf that tracks the continuous failure attempts from the IP addresses and bans the IP which is making the SSH failure beyond the configured max-retry attempts. The service is called Versa-fail2ban
The fail2ban service will add a reject rule for the source IP which is making the failure attempt in the iptable
The max-retry attempt (failed attempts) before the SSH IP gets locked on the appliance is 6 (Default)
You can disable this fail2ban feature and also manipulate the max-retry failed attempts value from the director UI using the below settings
1. You can modify the max retry value to beyond 6 using the below CLI command as well on the appliance ( UI option is shown above)
admin@Branch-1-cli(config)% set system login max-retries
Possible completions:
<unsignedByte>[6]
Possible completions:
<unsignedByte>[6]
2. You can permanently disable this security feature although we donot recommend (UI option is show above)
admin@Branch-1-cli(config)% set system login ban disabled
[ok][2024-11-27 19:24:12]
[edit]
admin@Branch-1-cli(config)% commit
[ok][2024-11-27 19:24:12]
[edit]
admin@Branch-1-cli(config)% commit
Note:
Disabling the fail2ban feature using the above CLI or UI option will stop the versa-fail2ban service in
3. In future, if you want to unblock any IP due to this preemptive security block , you can use the below commands to verify and unblock
> show jail ssh
> request clear jail ssh ip <Banned IP>
