Network services starting before vyatta-router.service has started may enter a failed state if they were configured to listen on an interface or address not coming up very quickly within the vyatta-router.service commit phase.
Example ( see also T452):
Hostapd instances will be configured and brought up by vyatta-router.service.
When configuring 5GHz Wifi interfaces with DFS, SSH wil fail to start if SSH was configured to listen on the 5GHz Wifi AP interface address. The 5GHz AP needs at least 60sec startup time because of radar scanning. During startup time, the Wifi interface is down, causing the SSH daemon being restarted by vyatta-router.service with its new config to silently fail. However, the commit sequence passes as it does not detect this lockup. The result is a VyOS system without SSH access despite Wifi AP started working after 60sec.
Other servies may be affected as well.
Workaround
Configure the SSH service to listen on 0.0.0.0 and set up firewall rules to selectively allow access.