05-24-2007 05:15 AM - edited 03-03-2019 05:07 PM
I have generally managed my routers by telnet connection to their WAN IP address. They have always been accessible by WAN or LAN address to a telnet connection. Rarely I would log in via the SDM. One of my routers suddenly is inaccessible using either method, although I can gain access to it through the console serial port. I have checked and compared show runs between routers but cannot figure out what needs to eb done to re-enable Telnet. I have verified that the HTTP server function is enabled so SDM should at least be working. Any advice would be appreciated.
Solved! Go to Solution.
05-24-2007 09:38 AM
Hi,
You are welcomed, please keep us updated with the results.
HTH,
Mohammed Mahmoud.
05-24-2007 05:24 AM
HI Scott,
Can you please post the Configuration.
1. Can you check the router log & give more inputs
2. Try by rebooting the router once.
Pls Rate if Helps
Best Regards,
Guru Prasad R
05-24-2007 06:20 AM
Thanks for the reply. Yes I will post the configuration. I have to physically drive to the location to do get it. I will do the reboot while I am there.
05-24-2007 07:45 AM
FORSYTHROUTER#show run
Building configuration...
Current configuration : 2989 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FORSYTHROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret xxx
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
--More-- no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.244.1 192.168.244.99
!
ip dhcp pool FORSYTHdhcp
network 192.168.244.0 255.255.255.0
default-router 192.168.244.3
dns-server 192.168.242.7
!
!
ip domain name yourdomain.com
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
--More-- ip address 10.1.1.4 255.255.255.0
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
shutdown
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
switchport access vlan 2
!
interface Vlan1
--More-- ip address 192.168.244.3 255.255.255.0
!
interface Vlan2
ip address 192.168.24.251 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.8.1.0 255.255.255.0 10.1.1.2
ip route 10.251.8.0 255.255.255.0 192.168.241.1
ip route 10.251.32.0 255.255.255.0 10.1.1.2
ip route 192.168.21.0 255.255.255.0 10.1.1.1
ip route 192.168.22.0 255.255.255.0 10.1.1.2
ip route 192.168.23.0 255.255.255.0 10.1.1.3
ip route 192.168.240.0 255.255.255.0 10.1.1.3
ip route 192.168.241.0 255.255.255.0 10.1.1.2
ip route 192.168.242.0 255.255.255.0 10.1.1.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
--More-- !
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
no username cisco
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--More-- -----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password xxxxxx
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password xxxxxxx
login local
transport input telnet
!
end
05-24-2007 08:03 AM
Hi,
I've noticed that "access-class 23" is applied to both the HTTP access and the VTY access (telnet), accordingly you must be trying to access the router using an IP in the "10.10.10.0/29" subnet, as the router will only accept this.
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
05-24-2007 08:46 AM
I agree with Mohammed that the access class restriction is a likely source of the problem. I also notice that the vty are configured with login local which requires a locally configured user name and password. But I do not see any user names and passwords configured. I would think that this would also prevent access. Except that the console is also configured with login local. If console access works then I assume that there are parts of the config that did not get posted.
HTH
Rick
05-24-2007 09:12 AM
the only things i removed from the show run were statements that contained passwords.
05-24-2007 09:33 AM
Thanks Mohammed, i will try removing that access class on my next pass through there.
05-24-2007 09:38 AM
Hi,
You are welcomed, please keep us updated with the results.
HTH,
Mohammed Mahmoud.
06-06-2007 05:47 AM
Mohammed-
I finaly got over to that location and removed access-list 23, and as you suspected, that was the problem. I found this very odd, as that access-list has been on the router ever since I installed it, and only recently has begun denying my telnet and http access to it. Thanks so much for your helpful reply!
06-06-2007 05:54 AM
Scott
Thanks for the update. I am glad that you have restored access to the router. It is very odd that the access list would only recently have begun denying telnet and http access unless something has changed. Is it possible that the content of access list 23 was changed? Or is it possible that the address from which you are attempting access has changed?
HTH
Rick
06-06-2007 06:09 AM
Rick,
It has to have been a moment of density on my part. The only thing I can think of is that I did originally remove the access-list from the running config but did not write mem, and the router may have power cycled due to a power failure and reloaded the access list. I don't remember having to remove the access list before, but it was about 5 months ago when I installed it. This is the only reasonable explanation I can come up with. The address scheme of the router has remained the same, and I havent edited the access list for that router at all.
Thanks!
Scott
06-06-2007 08:12 AM
Scott
Thanks for the additional information. It is a reasonable scenario and would explain the behavior if you had removed the access list, had not saved the revised config to NVRAM, and if the router recently reloaded then it would produce exactly the symptoms that you describe.
As a solution for the problem you can either permanently remove the access list or you can re-write the access list to include the addresses from which you will initiate the access. Personally I would prefer to have the access list restricting who can access the router.
HTH
Rick
05-24-2007 06:12 AM
Hope you have checked the physical connection:).
Sine you are sure that http service is enabled,I dont see any other problem.
--Jaffer
05-24-2007 09:17 AM
Yes the physical connection is good. If it were not, the entire site would be offline.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide