Unwanted Telnet session

Robo123 · ‎08-01-2021

I have cisco 3850 switch running 3.2.3SE IOS where i am seeing Unwanted Telnet connections from 192.168.1.2 IP which is no were available in my network. I Tried clearing the VTY sessions but its Re-Appearing again with in a second. Can any one help me to know is it happening due to any bug.

marce1000 · ‎08-01-2021

- Not likely to be a bug , possible actions may be to try to find the correlating mac address trough arp queries and check your asset database or block the connection :

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc8

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Mohsin Alam · ‎08-02-2021

are you using the switches in stack?
if yes then it's excepted.

## Make sure to mark post as helpful, If it resolved your issue. ##

Robo123 · ‎08-02-2021

Yes its a stack.

But i the mentioned IP is Unknown one and continuously the mentioned IP is trying to communicate with the switch. This ip is not reachable from the network. Please let me know i can i mitigate this issue.

Mohsin Alam · ‎08-02-2021

You are trying to console into a switch which is not active.

This feature is called console relay. It basically uses 192.168.1.x ip for telnet from standby or member switch because every time you console into any switch you will always get access to active.

This IP will not be reflected anywhere and is for internal operations, you can safely ignore it.

## Make sure to mark post as helpful, If it resolved your issue. ##

Robo123 · ‎08-02-2021

Hi Mohsiala,

Thanks for the update.

I am accessing this device via SSH and i can see below sessions are continuously active in the device at same time in TACACS server can observe the Auth fail logs from this 192.168.1.2 ip towards this stack switch.

Robo123 · ‎08-02-2021

Hi Mohsiala,

Can you please brief about console relay concept .If possible please share the doc as well.

Mohsin Alam · ‎08-02-2021

reference :

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKARC-3190.pdf

Slide 48

This behavior is called Console relay: Feature Information A 3750/3850 stack has a unified control plane which rests with the stack master switch. Hence irrespective of the switch user consoles in, CLI displayed is always stack master's CLI. This is enabled by a feature called console relay. Console relay works on both USB console and RJ45 console. If both are connected USB console overrides the RJ45 console. Console relay creates internal telnet session from the stack member switch to stack master. When user connects console to a stack member switch, console relay chooses the lowest available line vty and creates a telnet session to the master. This internal session is used to relay the master console to the member.

## Make sure to mark post as helpful, If it resolved your issue. ##

Robo123 · ‎08-04-2021

Have verified and there is no console cable is connected on the switch.

Robo123 · ‎08-02-2021

The bad there is no ARP entry available for this IP since its L2 Vlan and tried to find this IP physically as well But not sure what is this IP and where its located .To add ACL not sure from which interface the request is coming.

paul driver · ‎08-02-2021

Hello

Apply a acl to the switch to deny any unwarranted sessions.

Example for SSH (doesnt include device authentication)
access-list 1 deny any
ip access-list extended SSH
permit tcp x.x.x.0 0.0.0.255 any eq 22

line vty 0 4
access-class SSH in
exec-timeout 0 10
absolute-timeout 30
transport input ssh
transport output ssh
transport preferred none

(optional if vty 5 + is configured)
line vty 5 X
access-class 1 in
exec-timeout 0 1
privilege level 0
absolute-timeout 1
transport input none
transport output none
transport preferred none

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balaji.bandi · ‎08-02-2021

First you need to find where this device located. so start from here :

Connect to switch where your layer Gateway for 192.168.1.X network

show ip arp 192.168.1.2 (find the MAC address and port it learning from)

got to layer 2 switch, show mac address table | in xxxxxxx (mac address you recorded before) to find the port where this device connected.

make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Robo123 · ‎08-02-2021

As i mentioned earlier there is no ARP entry for this IP in core device

balaji.bandi · ‎08-02-2021

yes i hve noted before that there is no ARP, you need to find (there may be some PC or device compromised not sure at this stage) If there is no ARP, then you need to find or make an ACL to block, but you need to find root cause of the device.,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Robo123 · ‎08-12-2021

Can some one please share the IOS rollback procedure for the stack in install mode.