Introduction
The Zone feature is designed to address connectivity issues in certain environments (such as cross-datacenter and hybrid cloud scenarios) where direct connections are not possible. It works by allowing JumpServer to perform jump logins to target assets through a gateway server.
If you find that assets within a zone are unable to connect, please refer to the following methods.
Server trace files are stored in the /data/jumpserver/ for reference during troubleshooting.
Troubleshooting Tips and Suggestions
1. Enable SSH TCP forwarding
The "Zone" feature is developed based on SSH's TCP forwarding. Please ensure that the TCP forwarding settings for SSH on the Gateway machine are correctly configured. Check the /etc/ssh/sshd_config file to confirm that the parameter AllowTcpForwarding is set to yes, indicating that TCP forwarding is enabled and not commented out.
2. Check Network Environment.
Please ensure that the SSH port of the Gateway machine is accessible from JumpServer, and that it can also access the target port of the asset.
3. Certain types of assets do not support the Zone feature.
The Zone feature currently supports only 4th layer network traffic forwarding. Therefore, assets that depend on 7th layer network traffic, such as Web assets and Kubernetes assets, are not supported by the Zone functionality.
4. Check the Load Balancer configuration provided by the public cloud vendor.
The Gateway machine theoretically supports Load Balancers provided by public cloud vendors. Ensure that the Load Balancer has 4th layer forwarding enabled and that relevant security policies are in place. Please note that this setup may impact the connectivity test of the Gateway machine, but the actual Zone functionality should remain unaffected.
5. Assets within Zone are unable to access JumpServer.
The Zone feature facilitates one-way traffic forwarding, where machines within the domain cannot access JumpServer. If needed, you must set up traffic forwarding yourself. One possible scenario is deploying a RemoteApp machine within the Zone in which RemoteApp machine need to access JumpServer(7th layer).
6. Check Gateway Account Status
Check if the account password for the Gateway has expired. If JumpServer cannot connect to the Gateway using the saved account password, the Zone functionality will be restricted.
7. Check Zone Configuration Again
If the above methods still do not resolve the issue, ensure that the Zone and Gateway configurations are correct, and verify that the asset and Gateway are within the same network environment.