Why SSH Works from Windows but Not Ubuntu in Proxmox + GNS3

Posted on Tue 05 August 2025 in Networking

The Symptom

I ran into a strange issue while labbing in Proxmox with GNS3:

  • Windows (bare metal) could SSH to my GNS3 router without a problem.
  • Ubuntu (running as a VM in Proxmox) could ping the router but SSH timed out.
  • Both were on the same subnet and connected to the same Proxmox bridge (vmbr0).

At first glance, this made no sense. Ping worked, so Layer 3 was fine — why not TCP/22?

First Clues

Inside the Ubuntu VM:

ip neigh show

showed correct ARP resolution for the router’s MAC.

A Wireshark capture on the GNS3 side revealed:

  • Ubuntu’s TCP SYN packets arrived at the router.
  • No SYN/ACK reply was sent back.
  • Instead, debug ip tcp transactions on the Cisco router showed:
TCP: checksum failure <192.168.2.233,XXXXX> <192.168.2.136,22>

That was the smoking gun.

The Cause: TX Checksum Offload

The problem turned out to be TCP checksum offloading.

  • Modern NIC drivers (including Proxmox’s virtio) sometimes leave the TCP checksum unset, expecting the physical NIC to fill it in before sending.
  • In GNS3, the virtual router sees the raw packet before a real NIC ever touches it, so the checksum is wrong.
  • Windows’ NIC/driver stack handled this differently, so it never showed the problem.

Ubuntu’s NIC (ens18) was sending packets with invalid checksums to the router, so IOS dropped them instantly.

The Fix (Quick)

Disable TX checksum offload in Ubuntu:

sudo ethtool -K ens18 tx off

Test SSH again:

ssh admin@192.168.2.136

It should now connect without issue.

The Fix (Persistent)

Since Ubuntu now uses Netplan instead of /etc/network/interfaces, you can’t just add post-up lines.
The easiest persistent fix is a systemd service:

# /etc/systemd/system/disable-tx-offload.service
[Unit]
Description=Disable TX Checksum Offload on ens18
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/ethtool -K ens18 tx off

[Install]
WantedBy=multi-user.target

Enable it:

sudo systemctl daemon-reload
sudo systemctl enable disable-tx-offload.service
sudo systemctl start disable-tx-offload.service

Verify:

ethtool -k ens18 | grep tx-checksumming

It should read off.

Takeaways

  • If you can ping but not SSH from a Proxmox VM to a GNS3 router, check for TCP checksum failures in IOS debug.
  • In GNS3 environments, checksum offload can break traffic to virtual devices.
  • Disabling TX checksum offload on the VM NIC is a safe workaround in lab setups.

Have you run into similar odd networking issues between Proxmox and GNS3?
Drop a comment — this one took a while to nail down.

Proxmox GNS3 Ubuntu TCP Checksum Offload Troubleshooting