Cisco 2951 Cant access via telnet port 23 normally

Angel Castillo Montejano · ‎01-14-2025

Hello

I am experiencing an unusual behavior with a Cisco 2951 router. When I try to access it via Telnet normally, I only see the following:

Trying X.X.X.X...
Connected to X.X.X.X
Escape character is '^]'.

I never get the prompt to enter a username and password.

To solve the remote access issue, I found that adding the rotary option to link the port to a specific VTY line works. Here is the configuration:

line vty 3 4
login local
rotary 99
transport input all

With this configuration, I can access the router, but I have to add the port number 3099 after telnet x.x.x.x.

I would like to request your help to analyze why this is happening and how to fix it to have normal Telnet access. Here is some information that might be helpful:

System image file is "flash0:c2951-universalk9-mz.SPA.152-4.M8.bin"
NAME: "CISCO2951/K9", DESCR: "CISCO2951/K9 chassis, Hw Serial#:, Hw Revision: 1.1"
PID: CISCO2951/K9 , VID: V06 , SN:
NAME: "C2921/C2951 AC Power Supply", DESCR: "C2921/C2951 AC Power Supply"
PID: PWR-2921-51-AC , VID: V03 , SN: QCS1551H2HN
RI01GENL-71935875#

RI01GENL-71935875#sh line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - - 2 0 0/0 -
2 2 TTY 9600/9600 - - - - - 0 0 0/0 -
* 644 644 VTY - - 99 - - 140 0 0/0 -
* 645 645 VTY - - 99 - - 68 0 0/0 -
* 646 646 VTY - - 99 - - 116 0 0/0 -
647 647 VTY - - 99 - - 109 0 0/0 -
648 648 VTY - - 99 - - 80 0 0/0 -
649 649 VTY - - - - - 18 0 0/0 -
650 650 VTY - - - - - 0 0 0/0 -
651 651 VTY - - - - - 0 0 0/0 -
652 652 VTY - - - - - 0 0 0/0 -
653 653 VTY - - - - - 0 0 0/0 -
654 654 VTY - - - - - 0 0 0/0 -
655 655 VTY - - - - - 0 0 0/0 -
656 656 VTY - - - - - 0 0 0/0 -
657 657 VTY - - - - - 0 0 0/0 -
658 658 VTY - - - - - 0 0 0/0 -
659 659 VTY - - - - - 0 0 0/0 -

Directory of flash0:/
1 -rw- 104728372 Jun 3 2015 17:15:58 -05:00 c2951-universalk9-mz.SPA.154-3.M2.bin
2 -rw- 3066 Jun 3 2015 17:26:32 -05:00 cpconfig-29xx.cfg
3 drw- 0 Jun 3 2015 17:27:06 -05:00 ccpexp
457 -rw- 2885 Jun 3 2015 17:30:44 -05:00 home.shtml
458 -rw- 90458256 Jan 14 2025 10:09:38 -06:00 c2951-universalk9-mz.SPA.152-4.M8.bin

RI01GENL-71935875#dir nvram:
Directory of nvram:/

244 -rw- 3028 <no date> startup-config
245 ---- 7933 <no date> private-config
246 -rw- 3028 <no date> underlying-config
1 -rw- 2945 <no date> cwmp_inventory
4 ---- 396 <no date> persistent-data
5 -rw- 0 <no date> ifIndex-table
6 -rw- 17 <no date> ecfm_ieee_mib

Thanks in advice

Flavio Miranda · ‎01-14-2025

@Angel Castillo Montejano

line vty 0 4

password secret

login

transport input all

Angel Castillo Montejano · ‎01-14-2025

Same issue.
the connection is established, but it wants to connect to the line vty 2, but apparently the port 23 is being used.

Flavio Miranda · ‎01-14-2025

why dont you use SSH instead?

You may need to enable ssh with crypto key generate rsa command.

Angel Castillo Montejano · ‎01-14-2025

I already tried with the same behavior.

ip domain name cisco.com
!
ip ssh version 2

in this case, when i type ssh x.x.x.x, the connection is not established neither.

The RT has a Service Engine interface but i wasn't find if it could be the problem.

Flavio Miranda · ‎01-14-2025

Can I see the show running-config

Angel Castillo Montejano · ‎01-14-2025

Sure. here it is.

Flavio Miranda · ‎01-14-2025

Run

aaa new-model

liviu.gheorghe · ‎01-14-2025

Based on the configuration provided, you still have a few lines that listen on TCP port 22 and are not configured wirg a rotary group:

line vty 3
 login local
 transport input ssh
line vty 5 15
 login local
 transport input ssh

You should add "transport input all" on the lines mentioned if you want to use telnet.

May I ask why are you using the rotary feature? Is it because you want to control on which vty your connection will land? Looking at the configuration, you have 4 vty lines configured with rotary and 16 vty lines without rotary, so it must be another reason.

If you don't need the rotary feature, clear it from your configuration and configure all the vty lines as suggested by @Flavio Miranda

line vty 0 15

password secret

login local

transport input all

and use telnet or ssh to connect to your router.

Regards, LG
*** Please Rate All Helpful Responses ***

MHM Cisco World · ‎01-14-2025

simply there is FW block known port 23, when you use other port you can access.

MHM

Devaa · ‎01-15-2025

Seems default telnet port 23 is blocked and allowed 3099 port for security reason. You can validate that using tcptraceroute.

tcptraceroute <router-ip> 3099

tcptraceroute <router-ip> 23

Trace to port 3099 should complete and port 23 should drop. You can compare the traces and check if the trace to port 23 drops at the last hop or any other hop before that which is a firewall or ACL in the GW.

Richard Burts · ‎01-15-2025

The posted config has multiple issues that impact access using telnet.

many vty specify login local but the config does not contain aaa new-model which is needed to use local ID and password. So the suggestion by @Flavio Miranda is an excellent starting point.

vty 0 and 1 specify rotary 99. Not sure why but that is why you need to use 3099. remove rotary 99 and it should work ok.

vty 2 specifies rotary 99 and also specifies that the port will process SSH (which excludes telnet). And the most important issue here is the specification of no exec which prevents any access on this port.

vty 3 specifies protocol ssh so telnet is not allowed on this port.

vty 4 specifies rotary 99, so same comment as above.

the rest of the vty specify ssh, so telnet is not allowed on these ports.

HTH

Rick