08-30-2018 06:03 AM - edited 03-08-2019 04:02 PM
Guys,
I have noticed that there are some telnet sessions to our cisco 3850 switch:
switch#sh users
Line User Host(s) Idle Location
2 vty 0 idle 00:01:06 192.168.3.2
3 vty 1 idle 00:01:06 192.168.3.2
* 4 vty 2 idle 00:00:00 10.xx.5.40
switch#sh tcp brief
TCB Local Address Foreign Address (state)
34A272D4 10.yy.2.201.23 10.xx.5.40.50755 ESTAB
3A0F8494 192.168.3.1.23 192.168.3.2.42519 ESTAB
3A0874F0 192.168.3.1.23 192.168.3.2.42517 TIMEWAIT
3A4A6030 192.168.3.1.23 192.168.3.2.42518 TIMEWAIT
3A4CE854 192.168.3.1.23 192.168.3.2.42520 ESTAB
10.xx.5.40 - my host IP address. Even after clearing these vty (clear line vty <number>), they come back. The switch has only one ip interface: 10.yy.2.201.
switch#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Vlan1 10.yy.2.201 YES NVRAM up up
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet1/0/1 unassigned YES unset down down
...
Is it Backoor or internal virtual Sessions? More info:
sh version
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
1 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
2 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
3 56 WS-C3850-48P 03.02.03.SE cat3k_caa-universalk9 INSTALL
switch#sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 10.yy.2.201 16666 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 16667 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12124 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12125 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12134 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12135 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5246 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 12223 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 6352 0 0 0 0
17 0.0.0.0 0 10.yy.2.201 67 0 0 1002211 0
17 0.0.0.0 0 10.yy.2.201 5247 0 0 1000011 0
17 0.0.0.0 0 10.yy.2.201 2228 0 0 1000211 0
17(v6) --listen-- --any-- 161 0 0 1020001 0
17(v6) --listen-- --any-- 162 0 0 1020011 0
17(v6) --listen-- --any-- 1025 0 0 1020001 0
17 --listen-- 10.yy.2.201 161 0 0 1001001 0
17 --listen-- 10.yy.2.201 162 0 0 1001011 0
17 --listen-- 10.yy.2.201 1025 0 0 1001011 0
08-31-2018 12:30 AM
It is old Cisco bug:
Applying ACL to vty and enabling the only ssh as transport input didnt help. Need to update the firmware.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide