Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5326
Views
0
Helpful
6
Replies

TELNET NOT WORKING OVER VPN

steve-gates
Level 1
Level 1

‎10-22-2010 12:43 AM - edited ‎03-04-2019 10:12 AM

Morning

  I have a Cisco 887 which is set up with split tunneling, a VPN for remote management and a internal dhcp LAN for general web browsing. My problem is that I can't get telnet to work over the VPN. SSH access works fine but i need to be able to telnet to the device and devices behind the router. When i debig TCP Packets I get the following output:

000457: OCT 19 11:34:57 GMT0BST: TCP0: bad segment from 10.xx.xx.xxx --IDB not up:port 23 seq 1538323348 ack 0 rcvnxt 0 rcvnxt 0 rcvwnd 4128 len 0

Does anyone have any knowledge of this error or point me in the direction to look,,

Cheers

Labels:
0 Helpful
6 Replies 6

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎10-22-2010 07:19 AM

Hi,

The crypto traffic is defined as IP traffic so either SSH or telnet are permitted since both run on top of TCP.

Do you have any VPN filters or ACLs in place that might be blocking telnet through the tunnel?

Federico.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-22-2010 07:21 AM

Hello Steve,

in order to get better help post the configuration of the C887 just remove user/passwords and change public addresses for your safety

Hope to help

Giuseppe

0 Helpful

steve-gates
Level 1
Level 1
In response to Giuseppe Larosa

‎10-24-2010 11:55 PM

I have attached a config. We do have access lists on the VTY but they permit our private addresse

s as per our other VPN routers...

74003-CISCO887.txt.zip
0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to steve-gates

‎10-25-2010 09:34 AM

Steve a question,

You can telnet to the router locally? (not through the VPN tunnel)?

I just want to make sure the router is accepting telnet connections fine.

Federico.

0 Helpful

steve-gates
Level 1
Level 1
In response to Federico Coto Fajardo

‎10-25-2010 11:29 PM

Morning

  Yes we can telnet locally with no problem. It is just if we telnet from our works system to the internal management address we have a problem.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to steve-gates

‎11-01-2010 08:37 AM

Steve,

As a suggestion you can try the following...

Create an ACL and apply it to the outside interface to check the telnet packets (or use an existing ACL already applied).

ip access-list extended TEST

  permit tcp host x.x.x.x host y.y.y.y eq 23 --->  x.x.x.x is the IP of the remote VPN client and y.y.y.y the IP of the router

  permit ip any any

interface OUTSIDE_INTERFACE

  ip access-group TEST in

The above ACL is to test if telnet packets are being received by the router properly (show access-list TEST) will show the hitcounts incrementing everytime the telnet connection is attempted.

Another thing is to enable logs and check what are the related logs reported by the router related to the telnet connections.

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Top