Ssh connection problem to vm

phil524 · December 15, 2025, 3:30pm

Hello,

Since 4 years I have a server (hpprol2) with a Xen VM and I connect to the VM via ssh.
The host is used as a local DHCP and DNS server with 4 vlan
All worked without problem but yesterday I did a zypper dup on the VM via the ssh connection. After the end of the zypper dup I did a reboot command and waited some minutes before trying to connect via ssh to the VM. I received then an error “No route to host”

I didn’t not change anything on the server.
The connection to the VM is done via a bridge (br0 with IP =192.168.1.120) and when I start the VM via the Virtual machine viewer/manager it creates additional network connection “vifx.0”
Here the ip addresses and the routes on the host when the VM is started

philippe@hpprol2:~> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:12 brd ff:ff:ff:ff:ff:ff
    altname enp2s0f0
    altname enx9c8e995b4812
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    altname enp2s0f1
    altname enx9c8e995b4813
4: eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:14 brd ff:ff:ff:ff:ff:ff
    altname enp2s0f2
    altname enx9c8e995b4814
5: eno4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 9c:8e:99:5b:48:15 brd ff:ff:ff:ff:ff:ff
    altname enp2s0f3
    altname enx9c8e995b4815
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1a:75:5f:65:ab:a1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.120/32 scope global br0
       valid_lft forever preferred_lft forever
    inet 192.168.1.110/32 scope global br0
       valid_lft forever preferred_lft forever
7: vlan1@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global vlan1
       valid_lft forever preferred_lft forever
8: vlan2@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global vlan2
       valid_lft forever preferred_lft forever
9: vlan4@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.1/24 brd 192.168.4.255 scope global vlan4
       valid_lft forever preferred_lft forever
10: vlan3@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:8e:99:5b:48:13 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global vlan3
       valid_lft forever preferred_lft forever
11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc noqueue state UNKNOWN group default qlen 3
    link/ppp 
    inet 91.179.229.77 peer 10.24.97.36/32 scope global ppp0
       valid_lft forever preferred_lft forever
12: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb state DOWN group default qlen 1000
    link/ether 52:54:00:de:0f:23 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.1/24 brd 192.168.101.255 scope global virbr0
       valid_lft forever preferred_lft forever
14: vif2.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
    altname enxfeffffffffff
philippe@hpprol2:~> ip r
default dev ppp0 scope link 
default via 192.168.2.1 dev vlan2 proto static 
default via 192.168.3.1 dev vlan3 proto static 
default via 192.168.4.1 dev vlan4 proto static 
10.24.97.36 dev ppp0 proto kernel scope link src 91.179.229.77 
192.168.1.0/24 dev vlan1 proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev vlan2 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev vlan3 proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev vlan4 proto kernel scope link src 192.168.4.1 
192.168.4.92 via 192.168.1.120 dev br0 proto static 
192.168.101.0/24 dev virbr0 proto kernel scope link src 192.168.101.1 linkdown 
philippe@hpprol2:~>

when starting ssh with the most verbose option I receive the error message

philippe@hpprol2:~> ssh -vvv -p 7820 192.168.4.92
debug1: OpenSSH_10.2p1, OpenSSL 3.5.3 16 Sep 2025
debug3: Running on Linux 6.18.0-2-default #1 SMP PREEMPT_DYNAMIC Sat Dec  6 07:14:55 UTC 2025 (371bdaf) x86_64
debug3: Started with: ssh -vvv -p 7820 192.168.4.92
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug3: /usr/etc/ssh/ssh_config line 30: Including file /etc/ssh/ssh_config.d/50-suse.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug2: checking match for 'final all' host 192.168.4.92 originally 192.168.4.92
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [mlkem768x25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: /usr/etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug1: configuration requests final Match pass
debug2: resolve_canonicalize: hostname 192.168.4.92 is address
debug1: re-parsing configuration
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug3: /usr/etc/ssh/ssh_config line 30: Including file /etc/ssh/ssh_config.d/50-suse.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug2: checking match for 'final all' host 192.168.4.92 originally 192.168.4.92
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-suse.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [mlkem768x25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: /usr/etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/philippe/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/philippe/.ssh/known_hosts2'
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.4.92 [192.168.4.92] port 7820.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address 192.168.4.92 port 7820: No route to host
ssh: connect to host 192.168.4.92 port 7820: No route to host
philippe@hpprol2:~>

but the ping to the VM works

philippe@hpprol2:~> ping  192.168.4.92
PING 192.168.4.92 (192.168.4.92) 56(84) bytes of data.
64 bytes from 192.168.4.92: icmp_seq=1 ttl=64 time=0.470 ms
64 bytes from 192.168.4.92: icmp_seq=2 ttl=64 time=0.302 ms
64 bytes from 192.168.4.92: icmp_seq=3 ttl=64 time=0.518 ms
64 bytes from 192.168.4.92: icmp_seq=4 ttl=64 time=0.276 ms
^C
--- 192.168.4.92 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3097ms
rtt min/avg/max/mdev = 0.276/0.391/0.518/0.104 ms
philippe@hpprol2:~>

I can open the VM in the virtual manager and open a graphic session on the VM.
In the VM I can ping to the bridge on the host, I can do a zypper dup without problem and I can browse via firefox.

On the host I can connect to another system via ssh on the same network

philippe@hpprol2:~> ssh  -p 7820 192.168.4.91
Last login: Mon Dec 15 15:36:33 CET 2025 from 192.168.4.1 on ssh
Have a lot of fun...
philippe@rasp:~>

I have the feeling that the problem is the routing on the host but I didn’t not change anything and it worked since 4 years with the same routing table. I use systemd-networkd to define the network on the host.
The additional route for the VM is defined in the bridge network file

hpprol2:/etc/systemd/network # cat 03-br0.network
[Match]
Name=br0

[Network]
Address=192.168.1.120/32
Address=192.168.1.110/32
Gateway=192.168.1.1
IPv6AcceptRA=no
LinkLocalAddressing=no   

[Route]
Gateway=192.168.1.120
Destination=192.168.4.92/32
hpprol2:/etc/systemd/network

Any idea?

Many thanks in advance
Philippe

malcolmlewis · December 15, 2025, 4:01pm

@phil524 Did you have the firewall disabled, if so it may have been re-enabled…

mhurron · December 15, 2025, 4:22pm

Ya, random firewall re-enablement has been happening with recent snapshots on some of my systems.

phil524 · December 15, 2025, 4:40pm

Yes the firewald is activated since years and I checked the configuration nothing changed since 2021.
Selinux is also activated but nothing in sealert.
Nothing in journalctl

Regards
Philippe

hendersj · December 15, 2025, 4:57pm

It’s not random, it was a change in systemd-presets-branding-openSUSE-12.2-27.1.noarch that enabled it, and there’s a bug in bugzilla about this change overriding user preferences on existing installations.

arvidjaar · December 15, 2025, 6:14pm

You do realize that there are two sides - ssh client and ssh server? Which side do you mean?

arvidjaar · December 15, 2025, 6:15pm

You do realize that there are two sides - ssh client and ssh server, do not you? Which side do you mean?

phil524 · December 15, 2025, 7:15pm

it is ssh client from the host to the VM.

Regards
Philippe

phil524 · December 18, 2025, 9:07am

Hello,

I found the problem. Last zypper dup on the VM started firewalld which was not configured.
Adding firewall-config package allowed to configure firewalld for the ports used with ssh, samba, mdns etc…

Now the ssh connection to the VM works.

Regards
Philippe

system · December 25, 2025, 9:08am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.