08-01-2021 09:42 PM - edited 08-01-2021 09:52 PM
I have cisco 3850 switch running 3.2.3SE IOS where i am seeing Unwanted Telnet connections from 192.168.1.2 IP which is no were available in my network. I Tried clearing the VTY sessions but its Re-Appearing again with in a second. Can any one help me to know is it happening due to any bug.
08-01-2021 11:45 PM
- Not likely to be a bug , possible actions may be to try to find the correlating mac address trough arp queries and check your asset database or block the connection :
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc8
M.
08-02-2021 12:28 AM
are you using the switches in stack?
if yes then it's excepted.
## Make sure to mark post as helpful, If it resolved your issue. ##
08-02-2021 12:42 AM - edited 08-02-2021 12:59 AM
Yes its a stack.
But i the mentioned IP is Unknown one and continuously the mentioned IP is trying to communicate with the switch. This ip is not reachable from the network. Please let me know i can i mitigate this issue.
08-02-2021 01:40 AM
You are trying to console into a switch which is not active.
This feature is called console relay. It basically uses 192.168.1.x ip for telnet from standby or member switch because every time you console into any switch you will always get access to active.
This IP will not be reflected anywhere and is for internal operations, you can safely ignore it.
## Make sure to mark post as helpful, If it resolved your issue. ##
08-02-2021 02:50 AM
Hi Mohsiala,
Thanks for the update.
I am accessing this device via SSH and i can see below sessions are continuously active in the device at same time in TACACS server can observe the Auth fail logs from this 192.168.1.2 ip towards this stack switch.
08-02-2021 04:23 AM
Hi Mohsiala,
Can you please brief about console relay concept .If possible please share the doc as well.
08-02-2021 07:55 AM
reference :
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKARC-3190.pdf
Slide 48
This behavior is called Console relay: Feature Information A 3750/3850 stack has a unified control plane which rests with the stack master switch. Hence irrespective of the switch user consoles in, CLI displayed is always stack master's CLI. This is enabled by a feature called console relay. Console relay works on both USB console and RJ45 console. If both are connected USB console overrides the RJ45 console. Console relay creates internal telnet session from the stack member switch to stack master. When user connects console to a stack member switch, console relay chooses the lowest available line vty and creates a telnet session to the master. This internal session is used to relay the master console to the member.
## Make sure to mark post as helpful, If it resolved your issue. ##
08-04-2021 05:46 PM
Have verified and there is no console cable is connected on the switch.
08-02-2021 12:56 AM - edited 08-02-2021 01:10 AM
The bad there is no ARP entry available for this IP since its L2 Vlan and tried to find this IP physically as well But not sure what is this IP and where its located .To add ACL not sure from which interface the request is coming.
08-02-2021 02:15 AM - edited 08-02-2021 02:16 AM
Hello
Apply a acl to the switch to deny any unwarranted sessions.
Example for SSH (doesnt include device authentication)
access-list 1 deny any
ip access-list extended SSH
permit tcp x.x.x.0 0.0.0.255 any eq 22
line vty 0 4
access-class SSH in
exec-timeout 0 10
absolute-timeout 30
transport input ssh
transport output ssh
transport preferred none
(optional if vty 5 + is configured)
line vty 5 X
access-class 1 in
exec-timeout 0 1
privilege level 0
absolute-timeout 1
transport input none
transport output none
transport preferred none
08-02-2021 02:17 AM
First you need to find where this device located. so start from here :
Connect to switch where your layer Gateway for 192.168.1.X network
show ip arp 192.168.1.2 (find the MAC address and port it learning from)
got to layer 2 switch, show mac address table | in xxxxxxx (mac address you recorded before) to find the port where this device connected.
make sense ?
08-02-2021 03:29 AM
As i mentioned earlier there is no ARP entry for this IP in core device
08-02-2021 03:43 AM
yes i hve noted before that there is no ARP, you need to find (there may be some PC or device compromised not sure at this stage) If there is no ARP, then you need to find or make an ACL to block, but you need to find root cause of the device.,
08-12-2021 10:07 AM
Can some one please share the IOS rollback procedure for the stack in install mode.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: