Re: After a successfully telnet I always can only write short co

m.belloni · ‎08-08-2004

I have a cisco 1721 which is part of a network of many others cisco

1721. Suddenly I was unable to telnet it and a router replacement

didn't help. I can only telnet into it only by using vty 4. If I use

all the vty the telnet doesn't work. Then I have a couple of others

strange problems: I configured a password for the vty access, but when

I telnet successfully I immediately get access into the router and no

password is asked to me. Then, I can only write short commands. If I

write for example a general "show int" or a "show running-config", the

scroll of the data stops and never goes on after the first scroll.

I tried from different PC and I always got the same behaviour.

Follow a cut and paste of the vty line configuration and the

access-list 14 configuration:

line vty 0 3

access-class 14 in

exec-timeout 3 0

password xxx

logging synchronous

no login

escape-character 27

line vty 4

access-class 14 in

exec-timeout 3 0

timeout login response 60

password xxx

logging synchronous

login

escape-character 27

access-list 14 remark Controlled access via VTY Lines - Inbound

access-list 14 permit 10.252.240.0 0.0.3.255

access-list 14 permit 192.92.77.0 0.0.0.255

access-list 14 permit 192.92.22.0 0.0.0.255

access-list 14 permit 143.159.0.0 0.0.255.255

access-list 14 permit 146.198.0.0 0.1.255.255

access-list 14 permit 165.120.0.0 0.0.255.255

access-list 14 permit 213.31.20.0 0.0.3.255

access-list 14 permit 10.28.91.0 0.0.0.255

access-list 14 permit 10.28.110.0 0.0.0.255

access-list 14 permit 10.252.169.0 0.0.0.31

access-list 14 permit 10.252.169.64 0.0.0.31

access-list 14 permit 192.168.0.0 0.0.255.255

access-list 14 permit 204.231.0.0 0.0.255.255

access-list 14 permit 10.252.168.0 0.0.3.255

access-list 14 permit 10.252.232.0 0.0.3.255

access-list 14 permit 10.252.241.0 0.0.0.255

Thanks for your help,

Max

jasyoung · ‎08-08-2004

This is a classic symptom of a MTU/path MTU discovery problem. You have a short MTU in your path to that router somewhere, commonly because of GRE and/or IPsec tunneling.

When your first normal max-sized packet comes through (1500 bytes) it fails to transit whatever short MTU link(s) you have. This is because the DF (don't fragment) bit is almost always set so the router won't fragment it. The originator relies on the router to generate an ICMP message back to it to signal the MTU forced drop so that it knows it should reduce the MSS for that connection. That's what's known as path MTU discovery. When the router drops packets because of an MTU problem and doesn't generate an ICMP message back to the origin (or said ICMP message doesn't make it all the way back), the PMTU discovery process has broken down. The originator continues to retransmit the same too-big packet over and over and eventually times out and tears down the connection.

Not knowing more about your network, I can't tell you the exact fix. However, I can tell you it's a configuration issue and not a hardware issue. Hopefully I've given you enough of a headstart to find the problem yourself. If you can't find it, we'll need you to post again and attach copies of your configuration for that router and for every router between it and the station you're using to telnet to it. Be sure to remove passwords and such first.

m.belloni · ‎08-09-2004

Ok, thanks. The router with the problem has IOS c1700-y-mz.123-2.XE.bin and follow up attached its config file. As you can see there should be a tacacs access, which it's unable to work,so, currently I'm focusing myself first of all on the telnet problem:

logging queue-limit 100

logging buffered 8000 debugging

no logging console

enable password xxx

!

username rgit0011rom password xxx

username tsi password xxx

username eis password xxx

username tsemil password xxx

no spd enable

no aaa new-model

ip subnet-zero

no ip source-route

!

interface Loopback1

ip address 10.252.240.34 255.255.255.255

!

interface FastEthernet0

description Connection to Customer LAN

ip address 10.29.227.225 255.255.255.224

ip helper-address 10.28.84.16

ip helper-address 10.28.84.17

ip helper-address 10.28.88.16

ip helper-address 10.28.88.17

ip policy route-map set-dscp

delay 1000

speed auto

no keepalive

no cdp enable

!

interface Serial0

bandwidth 32

no ip address

no ip redirects

no ip proxy-arp

max-reserved-bandwidth 100

encapsulation frame-relay

ip split-horizon

no fair-queue

frame-relay traffic-shaping

no frame-relay inverse-arp

!

interface Serial0.1 point-to-point

description primary connection to rgit0011mil

bandwidth 32

ip address 10.252.241.86 255.255.255.252

no ip redirects

no ip proxy-arp

no cdp enable

frame-relay interface-dlci 190

!

interface Serial0.2 point-to-point

description secondary connection to rgit0011rom

bandwidth 32

ip address 10.252.241.90 255.255.255.252

no ip redirects

no ip proxy-arp

no cdp enable

frame-relay interface-dlci 390

!

router rip

version 2

timers basic 30 90 90 120

redistribute connected metric 5

offset-list 10 in 1 Serial0.2

offset-list 10 out 1 Serial0.2

network 10.0.0.0

network 213.31.20.0

network 213.31.22.0

default-metric 5

no auto-summary

!

ip local policy route-map set-dscp

ip classless

ip default-network 192.92.20.0

no ip forward-protocol udp tftp

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip http server

access-list 14 remark Controlled access via VTY Lines - Inbound

access-list 14 permit 10.252.240.0 0.0.3.255

access-list 14 permit 192.92.77.0 0.0.0.255

access-list 14 permit 192.92.22.0 0.0.0.255

access-list 14 permit 143.159.0.0 0.0.255.255

access-list 14 permit 146.198.0.0 0.1.255.255

access-list 14 permit 165.120.0.0 0.0.255.255

access-list 14 permit 213.31.20.0 0.0.3.255

access-list 14 permit 10.28.91.0 0.0.0.255

access-list 14 permit 10.28.110.0 0.0.0.255

access-list 14 permit 10.252.169.0 0.0.0.31

access-list 14 permit 10.252.169.64 0.0.0.31

access-list 14 permit 192.168.0.0 0.0.255.255

access-list 14 permit 204.231.0.0 0.0.255.255

access-list 14 permit 10.252.168.0 0.0.3.255

access-list 14 permit 10.252.232.0 0.0.3.255

access-list 14 permit 10.252.241.0 0.0.0.255

privilege exec level 1 telnet

privilege exec level 1 traceroute

privilege exec level 1 ping

privilege exec level 1 show ip access-lists

privilege exec level 1 show ip

privilege exec level 1 show startup-config

privilege exec level 1 show

!

line con 0

timeout login response 60

password xxx

login

line aux 0

line vty 0 3

access-class 14 in

exec-timeout 3 0

password xxx

logging synchronous

no login

escape-character 27

line vty 4

access-class 14 in

exec-timeout 3 0

timeout login response 60

password xxx

logging synchronous

login tacacs

escape-character 27

!

no scheduler allocate

!

end

Please note that the other routers of the same network have IOS is c1700-sy-mz.122-15.T5.bin.Another colleague followed the problem before me and he assured me that he got the same results with this IOS too.

The strange thing is also that when I telnet into the router I immediately get in and no password is asked!

Thanks Max

Richard Burts · ‎08-09-2004

The answer to part of your question is clear. You state that if you telnet to vty 0 3 you gain access without being prompted for a password and if you telent to vty 4 you are prompted for a password. This is because you have configured vty 0 3 with "no login". The login procedure is what generates the prompt for the password and you have configured these lines to not generate the prompt. On vty 4 you have configured "login" and so that vty does generate the prompt.

The rest of the question I find a bit confusing - one part of the question says that you can not telnet to vty 0 3 and another part describes what happens when you do telnet to those vty.

Also I am not clear whether your problem about not scrolling through longer output is unique to vty 4 or is on all of the vty.

Can you clarify this part of the question.

HTH

Rick

HTH

Rick

m.belloni · ‎08-09-2004

Ok, I understand. Before reading your answer I believed to get access into the router through vty 4 and I considered strange that it didn't ask me a password. I was wrong because I get access into the router through vty 0 3 and so it's normal that no password is asked. But why I'm unable to telnet the cisco is I configure, as usual, all vty 0 4 together?

And why if after the telnet I write for example the "show running" command, the scroll of the page hardly stops and I cannot get all the configuration displayed? This router has IOS c1700-y-mz.123-2.XE.bin, while all the other cisco of this netwrok have IOS c1700-sy-mz.122-15.T5.bin, but I can assure you that also with the canonic IOS I got the same trouble.

Thanks Max

After a successfully telnet I always can only write short commands