Re: Telnet Problem

keyonj · ‎09-02-2009

I am having an issue telneting from any device on my network to a 4503 (running Version 12.2(31)SG).

The following is the configuration for the vty lines:

line vty 0 4

exec-timeout 5 0

login local

transport input all

transport output telnet

line vty 5 15

exec-timeout 5 0

login local

transport input all

transport output telnet

The following is what I get on a debug:

Sep 2 19:47:41 UTC: Telnet1: 1 1 251 1

Sep 2 19:47:41 UTC: TCP1: Telnet sent WILL ECHO (1)

Sep 2 19:47:41 UTC: Telnet1: 2 2 251 3

Sep 2 19:47:41 UTC: TCP1: Telnet sent WILL SUPPRESS-GA (3)

Sep 2 19:47:41 UTC: Telnet1: 80000 80000 253 24

Sep 2 19:47:41 UTC: TCP1: Telnet sent DO TTY-TYPE (24)

Sep 2 19:47:41 UTC: Telnet1: 10000000 10000000 253 31

Sep 2 19:47:41 UTC: TCP1: Telnet sent DO WINDOW-SIZE (31)

Sep 2 19:47:41 UTC: TCP1: Telnet received DO SUPPRESS-GA (3)

Sep 2 19:47:41 UTC: TCP1: Telnet received WILL TTY-LOCATION (23) (refused)

Sep 2 19:47:41 UTC: TCP1: Telnet sent DONT TTY-LOCATION (23)

Sep 2 19:47:41 UTC: TCP1: Telnet received WILL TTY-SPEED (32) (refused)

Sep 2 19:47:41 UTC: TCP1: Telnet sent DONT TTY-SPEED (32)

Sep 2 19:47:41 UTC: TCP1: Telnet received WILL WINDOW-SIZE (31)

Sep 2 19:47:41 UTC: TCP1: Telnet received WILL LOCAL-FLOW (33) (refused)

Sep 2 19:47:41 UTC: TCP1: Telnet sent DONT LOCAL-FLOW (33)

Sep 2 19:47:41 UTC: TCP1: Telnet received DO ECHO (1)

Sep 2 19:47:41 UTC: TCP1: Telnet received WONT TTY-TYPE (24)

Sep 2 19:47:41 UTC: TCP1: Telnet sent DONT TTY-TYPE (24)

Sep 2 19:47:41 UTC: Telnet1: recv SB NAWS 80 24

Sep 2 19:47:41 UTC: TCP1: Telnet received WONT TTY-LOCATION (23)

Sep 2 19:47:41 UTC: TCP1: Telnet received WONT TTY-SPEED (32)

Sep 2 19:47:41 UTC: TCP1: Telnet received WONT LOCAL-FLOW (33)

[Connection to X.X.X.X closed by foreign host]

Any help would be appreciated.

Thanks.

Edison Ortiz · ‎09-02-2009

I don't see any ACLs under the VTY but do you have any Security ACLs on the switch preventing telnet?

If you can post a sanitized config from the switch, we can help further.

__

Edison.

keyonj · ‎09-03-2009

Edison, the only other security ACLs in place are for snmp and for https access.

There are no other ACLs that I can see in the config.

one weird thing, that I did notice, that doesnt show up in the config are ACLs that appear to be for control plane policing. When I do a 'show access-lists' the following list is displayed (aside from the two ACLS that show up in the config for snmp and http):

Extended IP access list system-cpp-all-routers-on-subnet

10 permit ip any host 224.0.0.2

Extended IP access list system-cpp-all-systems-on-subnet

10 permit ip any host 224.0.0.1

Extended IP access list system-cpp-dhcp-cs

10 permit udp any eq bootpc any eq bootps

Extended IP access list system-cpp-dhcp-sc

10 permit udp any eq bootps any eq bootpc

Extended IP access list system-cpp-dhcp-ss

10 permit udp any eq bootps any eq bootps

Extended IP access list system-cpp-igmp

10 permit igmp any 224.0.0.0 31.255.255.255

Extended IP access list system-cpp-ip-mcast-linklocal

10 permit ip any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-ospf

10 permit ospf any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-pim

10 permit pim any 224.0.0.0 0.0.0.255

Extended IP access list system-cpp-ripv2

10 permit ip any host 224.0.0.9

Extended MAC access list system-cpp-bpdu-range

permit any 0180.c200.0000 0000.0000.000f

Extended MAC access list system-cpp-cdp

permit any host 0100.0ccc.cccc

Extended MAC access list system-cpp-cgmp

permit any host 0100.0cdd.dddd

Extended MAC access list system-cpp-dot1x

permit any host 0180.c200.0003

Extended MAC access list system-cpp-garp-range

permit any 0180.c200.0020 0000.0000.000f

Extended MAC access list system-cpp-sstp

permit any host 0100.0ccc.cccd

However, I'm not sure if its tied to anything. When I run any of the following commands, nothing is displayed.

sh policy-map system-cpp-policy

sh policy-map control-plane input

sh policy-map control-plane

FYI, I will work on getting the sanitized config posted.

Thanks