Firewall Issues - ssh_dispatch_run_fatal errors during SSH

Seeing the same behavior here on Sequoia with Microsoft Defender and Palo Alto Cortex XDR installed. Cannot turn off either of them, as it's a company-managed device where I literally don't have the needed privileges to disable or reconfigure the software.

Oddly, a coworker with the same set-up isn't able to reproduce the issue. Only obvious difference is he's on m3, I'm on m2.

To reproduce the issue, I'm ssh'ing into several servers at once and running this loop on all of them -- they all stop at the same time when the issue occurs, and it only takes a few minutes:

while [ true ]; do echo "$(hostname) $(date)"; sleep 1; done

Even more strange, I opened an AWS ec2 instance using SSM connection manager, which is a browser-based terminal interface that communicates with an ec2 instance via an open https connection to AWS, so there's no ssh between my workstation and the ec2 instance, and the connection manager session also loses connectivity between my workstation and AWS at the same time that the other connections drop. I can just refresh the web page containing the session, and it's back again, but this indicates that it's not just ssh connections being impacted -- it's potentially any open tcp connection.

Downgrade back to 15.0 until Apple gets it together. How to download and install macOS - Apple Support

Did not last long with firewall off. For me the solution was to turn off WiFI and only use ethernet.

I just updated to 15.1 and looks like the issue has been resolved already.

I did not turn off firewall, but turned off Network Filter (Little Snitch). Right now, as I type, I still have the firewall ON and now LittleSnitch is also enabled. Limit IP address is ON, Private WiFi is OFF.

Woohoo!

Updated to 15.0.1 and disconnects have not disappeared but they went WAY down.

Disconnects can be 20 mins to 2 hours instead of every 2-20 mins!

I can live with this but it's still not ideal.

The default firewall configuration allows any built-in app, and any 3rd party signed app, to accept incoming connections. It doesn't block anything. In some versions, if you manually change settings to block software, it will just change it back to allow. But assuming you have a version that works, then it is only going to block local connections, like from your printer or other computers in your house.

No argument that the default config allows signed apps (built-in or otherwise) to accept incoming connections. This configuration allows general users the ability to install and use tools w/o having to know much about the network; and IMHO even if there was an alert .. that same level of user would click right through it same as their user agreement :)

Could Apple do better, sure no argument there either. However for users that want more security can use third-party tools that do better ( snitch,etc ) .. tho I would agree that it would be nice if the inherent tool was more applicable.

For the vast majority of users, no outside connection is going to make it past their modem in the first place.

This comment assumes only a home or behind-a-physical firewall use-case; I am considering this and all the places one takes one's lappy: coffee, airplane, school, conference, etc. To your point those same services are open if installed and my be an exploitable vector; however.. it's a layer that may need to be worked around for those being malicious .. and again doesn't hurt (except in this case where it's borked).

This is one area where I think Microsoft had a better approach by having profiles based on network location that apply different levels of security profile; and other tools could benefit from the approach.

This is a user-to-user support forum for consumer users. Companies typically have all kinds of specialized configurations and software that we don't have and can't support.

Per Community etiquette guidelines - Apple Support This is a general support site; not limited by use-case.

15.0.1 caused the issue to skyrocket in severity. Since 15.0 SSH connections aborted but Remote Desktop was fine (connecting to an RD farm, not just open RDP .. dont freak out).

Installed 15.0.1 today and now my RDP connections drop every 30 seconds or so. After disabling the firewall (wow, really?) the disconnects are gone entirely. I also had trouble with page loads in the browser.

These have to get fixed, I can't consider macOS a viable platform anymore if these basic issues are not resolved.

tbirdvet wrote:

Did not last long with firewall off. For me the solution was to turn off WiFI and only use ethernet.

Please understand that this issue happens with everything, wireless or ethernet, as it doesn't depend on the network interface. I have a docking station with ethernet and I get it every now and then. You're just lucky you didn't get it in this short period of time. Give it long enough time and it will happen again.

The most painful part of this issue is that people keep tinkering with things, and then one thing fixes the issue temporarily, and everyone yells "eureka"... like I said before, the internet is literally flooded with "MacOS network timeout issues", and everyone thinks they got a fix, but eventually it comes back, and people don't have time to track this and most of the time they prefer to just restart MacOS. The core issue is still there though. I do really hope Apple will fix it (and part of me is happy that Sequoia made the issue quite pronounced, so that it gets fixed once and for all). I did report the issue through feedback assistant, and have proven that it's an issue in MacOS. Let's wait and see.

Updated to 15.1 and this has mitigated the issues quite a bit (i havent noticed it yet today).

On 15.0.x I would get SSH errors every few minutes in chrome (very obvious with the ERR_SSL_PROTOCOL_ERROR) - and have not experienced it in my 6 hours of computing today.

Unsure if the issue is completely mitigated, but so far 15.1 has been a significant improvement for me.

mikeloiterman wrote:

15.1 fixes the issue that started this thread. Firewall is now enabled and I have no ssh disconnection issues.

This depends on whether the issue got completely fixed or just improved. It seems that many people here are reluctant to do the ping tests multiple times per day to see these spikes I talk about. Note that disabling the firewall *improves* these spikes, it doesn't remove them completely. Meaning: The issue you're claiming was fixed in 15.1 is just a symptom of a bigger problem. Congratulations to you, since you seem to have a setup, for which this is working for you. But I do implore those who have things working for them to be more understanding and not dismiss the bigger issue for those who have a more complex setup. I have all kinds of friends and colleagues that are facing networking problems in different severities, ranging from once per month blocked networking to every day.

In summary: If you want to check whether the issue is fixed, ping your router every few hours, and if you have zero spikes in response time (whether small or big), then the issue is fixed for you. If the spikes become so large that they lead to timeouts, then you'll face all the problems everyone talked about in this post, including ssh disconnections, internet lags and connectivity problems, etc.

mikeloiterman wrote:

Why is disabling the firewall every time I have to SSH into a server not a long term fix?

Because I have to ssh into a lot of servers and computers frequently and often stay logged into them for long periods of time. So, that essentially means disabling the firewall on my Mac entirely.

Sorry. I meant that disabling the firewall entirely was the long-term fix. It’s a do-nothing app - a placebo. I don’t know for sure that it is causing the problem you describe. But I do know for sure that it’s a waste of time.

Thank you for making this post! I spent 12 hours today troubleshooting my network trying to isolate this issue. I cannot confirm that this is the solution just yet, although the symptoms and timing is spot on. But I'm working with IT at work to disable firewall for testing.

For anybody else searching for a solution on this, here is a full writeup on the issues I am seeing https://community.ui.com/questions/Entire-network-halts-crashes-every-minute/0c0625b0-5658-4cb2-b95c-ddb17c6920a2 . The weird thing is that I am not seeing these issues when I am connected directly to my router, only when I add a switch between myself and whatever I am trying to communicate with.

Tagging this post with: Sequoia, ERR_SSL_PROTOCOL_ERROR, Bad packet length, ssh_dispatch_run_fatal

So I am on an M3 .. and I am seeing

• SSH Connections die just generally
• SSH PortForwarding connections dying VERY consistently
• Webex having major problems with maintaining connectivity
• AWS Console sessions dying

I also correlated that it's happening across connections at the same time; not each connection.

We're experiencing a similar issue with Sentinel One and Microsoft Defender here:

This leads to multiple SSL errors. In chrome for instance we see ERR_SSL_PROTOCOL_ERROR very often.

Uninstalling Sentinel One or Defender (Or disabling Network Filters for those) fixes the issue but it's definitely not a solution, especially on corporate networks and computers.

We're trying to investigate if there is a link between those apps Network Filters and the fact that we also have Firewall enabled in MacOS (which is disabled usually by default).

[Edited by Moderator]