MacOS – What causes ssh to return Network is down

macossshterminalunix

I'm trying, without success, connect to a local network ssh server from macOS by doing:

$ ssh user@1111:ab1:123:ab1:011b:12bc:ab12:1a2b

and then I get:

ssh: connect to host 1111:ab1:123:ab1:011b:12bc:ab12:1a2b port 22: Network is down

I actually can connect to that server from iPhone app Termius (and there are also other reasons to think the server side is ok) so I believe there is a problem on the client side. I tried that same app on macOS without success.

Also, ssh to a virtual machine works well, as well as to an amazon aws server.

Also tried verbose:

$ ssh user@1111:ab1:123:ab1:011b:12bc:ab12:1a2b -vvv
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 1111:ab1:123:ab1:011b:12bc:ab12:1a2b port 22.
ssh: connect to host 1111:ab1:123:ab1:011b:12bc:ab12:1a2b port 22: Network is down

And IPV6:

$ ssh -6 -vvv user@1111:ab1:123:ab1:011b:12bc:ab12:1a2b
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 1111:ab1:123:ab1:011b:12bc:ab12:1a2b port 22.
ssh: connect to host 1111:ab1:123:ab1:011b:12bc:ab12:1a2b port 22: Network is down

And ping:

$ ping 1111:ab1:123:ab1:011b:12bc:ab12:1a2b
ping: cannot resolve 1111:ab1:123:ab1:011b:12bc:ab12:1a2b: Unknown host

What might be causing the Network is down? How should I debug this?

Best Answer

SSH is just the messenger, and is likely calling strerror(3) or equivalent on a bad exit code from some socket call:

$ find /usr/include -name "*.h" -exec grep 'Network is down' {} +
/usr/include/apr-1/apr_errno.h:#define SOCENETDOWN             (SOCBASEERR+50)            /* Network is down */
/usr/include/sys/errno.h:#define        ENETDOWN        50              /* Network is down */
$

If we dig around in the system man pages for ENETDOWN this will turn up documentation...

$ find /usr/share/man -type f -exec grep -l ENETDOWN {} +
/usr/share/man/man2/connect.2
/usr/share/man/man2/connectx.2
/usr/share/man/man2/intro.2
/usr/share/man/man2/send.2
...

Though not much as connect(2) or intro(2) merely indicate

 [ENETDOWN]         The local network interface is not functioning.
...
 50 ENETDOWN Network is down.  A socket operation encountered a dead net-
         work.

Is IPv6 working on this host? You'll probably need to debug with ping6 (not ping) and maybe check the IPv6 settings via some clicky interface or instead ifconfig and netstat -rn.

To avoid the GUI, the network settings for IPv6 can be adjusted with something like

sudo ipconfig set en0 AUTOMATIC-V6

see the ipconfig(8) manual for details.

Related Solutions

Web and outbound ssh stopped working but ping and other network services work

Fixed by removing old NetNanny extensions as suggested in https://discussions.apple.com/thread/2296455

MacOS – Loading User LaunchAgent Successfully

OK, addressing your second question first (is my plist actually correct?), plutil (in its default invocation) "lints" (checks) plist files for correctness:

plutil ~/Library/LaunchAgents/local.brew.update.plist

Equivalent to:

plutil -lint ~/Library/LaunchAgents/local.brew.update.plist

Turning to your first question (how do I know my agent is being loaded (and how do I confirm that)?), here's a few things to help check that.

First, I'd recommend adding logging to aid debugging. I log to ~/Library/Logs, so add something like this to my plist:

<key>StandardOutPath</key>
<string>/Users/userx/Library/Logs/local.brew.update.stdout</string>
<key>StandardErrorPath</key>
<string>/Users/userx/Library/Logs/local.brew.update.stderr</string>

Try re-loading your plist and then check your logs:

less ~/Library/Logs/local.brew.update.stdout
less ~/Library/Logs/local.brew.update.stderr

A few additional observations:

My understanding of your inetdCompatibility is that the agent should start when it's loaded. However, you say that launchctl list doesn't show the agent. Does that change if you try launchctl start com.my.ssh_tunnel after loading the plist? Do the logs show anything new?

I don't entirely understand the relationship between Program and ProgramArguments - could just be me, but I find man launchd.plist's explanation of ProgramArguments hard-going. I'd be inclined to try adding /usr/bin/ssh as a first string in ProgramArguments, and removing the entry for Program. (Then re-load and check the logs. Re-start and check the logs if needed).

Finally, I'm pretty certain that @daniel-Azuelos is correct, and you need to specify your ProgramArguments like this (I've added usr/bin/ssh as mentioned above):

<key>ProgramArguments</key>
<array>
    <string>/usr/bin/ssh</string>
    <string>-F</string>
    <string>/Users/userx/.ssh/config</string>
    <string>dname</string>
    <string>/usr/sbin/imapd</string>
</array>

My reasoning for this is, the few plists I can find on my system that use (more than one) ProgramArguments use this idiom:

<key>Label</key>
<string>com.divx.uninstall.preferences</string>
<key>ProgramArguments</key>
<array>
    <string>/bin/bash</string>
    <string>-c</string>
    <string>if [[ ! -e "/Applications/DivX/DivX Preferences.app" ]] ; then open "/Library/Application Support/DivX/Uninstall DivX for Mac.app"; fi</string>
</array>

Note how bash's -c option and the corresponding command_string are in separate arguments.

Best Answer

Related Solutions

Web and outbound ssh stopped working but ping and other network services work

MacOS – Loading User LaunchAgent Successfully

Related Question