#Cannot SSH/HTTPS to cluster_mgmt IP from host network

I would like to access my cluster from host network in addition to mgmt network (two different subnets), service-policy is correct, firewall policy is correct. I can ping the cluster_mgmt IP from a client network PC and ports 22 and 443 are also open in firewall, still when I try to login, nothing comes up.

I have noticed that the routes which are added have same metric, can that be a cause for this ? or do I need to look into some other direction ?

Seeing multiple event logs like "kernel: netinet.icmp.redirect: NOTICE] Received 1297183 ICMPv4 redirect messages for IPspace "Default"

do you happen to have multiple default routes?

there are 2 routes, one per subnet, but both have same metric

routes to which destination? both to 0.0.0.0/0?

please share your network route show -vserver <cluster-name>

nas1::> route show
Vserver Destination Gateway Metric

nas1
0.0.0.0/0 172.16.0.1 20
0.0.0.0/0 172.21.3.1 20
nas1-nas
0.0.0.0/0 172.16.0.1 20
0.0.0.0/0 172.21.3.1 20
4 entries were displayed.

172.21 is mgmt subnet, 172.16 is client, need to access from client subnet system

yeah, that's 2 default routes, that doesn't work (at least it doesn't work the way you think it works)

it basically tells the system that "if you need to send a packet to any IP address (that is not locally connected), you can send it either to 172.16.0.1 or 172.21.3.1 at your discretion"

I wonder why so many people get this wrong

depending on your network,you either need to add specific subnet routes (i.e. 10.0.0.0/8 goes via .16.0.1, everything else goes via .21.3.1 or something), or you need to add a second mgmt LIF that is in the same layer 2 network as either your clients or your mgmt subnet, which then works without routing.

or you need to have one gateway that always gets used, and the gateway then forwards the packet to either the .16 net or the .21 net

so just delete route with gateway 172.16.0.1 and replace it with a more specific route like 172.16.0.0/16 (same gateway) with metric of 10 ? Just FYI, nas1-nas is data SVM and nas1 is the SVM which is being used for mgmt

if all your clients are in 172.16.0.1/16, and the SVM LIF is also in that network, then you don't need a route in the first place because the net is directly connected

Because: the GUI

The GUI at least historically did not/does not allow you to use a metric. It really should say: hey, I’ve got a default route already. Is this this one more or less important than the current

You could also
route delete -vserver nas1 -destination 0.0.0.0/0 172.16.0.1 ; route create -vserver nas1 -destination 0.0.0.0/0 172.16.0.1 -metric 30

That’s one “command” with a semi colon

yeah but the metric doesn't matter if you need two different gateways to get to two different networks. The metric only defines the gateway that gets used

if you want something like "when I come through LIF1, please send through that gateway, and if I come through LIF2, send through that other gateway", that's not something you can do with (default) routes. That would require the "fastpath" feature from 7-mode which was (luckily) removed from ONTAP long ago

ONTAP can get confused on the outbound path. Every “default” route should have a different metric to limit internal confusion. This shows up all the time in reports

yeah, but you are supposed to use different gateways with the same metric only if they can be used interchangeably (ie they have both access to the same set of networks and are on links of the same speed)

and since people think they can be used for that other scenario that I described above, they put in different gateways (with access to different networks) as default gateways, and of course that causes confusion 🙂