11-19-2008 09:10 AM - edited 03-06-2019 02:34 AM
I noticed today that I have a telnetting problem to one router.
This router has a route:
ip route 0.0.0.0 0.0.0.0 172.27.1.2
The interfaces on it are:
int FA0/0
10.5.5.1
10.6.5.1
int FA0/1
172.27.1.1
The router on the other end has a route to this network as:
int fa0/0
10.10.10.1
We run bgp and redistribute statics.
ip route 10.5.5.0 255.255.255.0 172.27.1.1
My L3 switch has a route to 10.5.5.0 through 10.10.10.1
The issue is this:
I can ping the 10.5.5.1 address with no problem from my workstation, but I can't telnet to it. I can't telnet to it from my L3 switch, but I can ping it. I CAN telnet from the primary router 10.10.10.1 and I CAN telnet to it from any other device that's in the bgp network.
There are no acls keeping me from telnetting to the device. I can't reverse telnet from the device into my L3 switch, but I can into the main router.
If I look at the routing table, I notice that I don't have a route to the 172.27.1.0 network in my L3 switch table, but I do have one for the internal network. I'm assuming this is the cause, but I don't understand why I can't telnet into the 10.5.5.1 router if I can ping it.
Any suggestions?
Thanks,
John
11-19-2008 09:28 AM
John
So it looks like
(10.5.5.1) fa0/0 R1 fa0/1 (172.27.1.1) -> (172.27.1.2) int ?? Main Router fa0/0 (10.10.10.1) -> L3 switch
Your L3 switch doesn't need a route for 172.27.1.0 unless you want to get to one of the 172.27.1.x addresses from the switch so that is not causing your issue.
What happens when you try and telnet - does it come straight back, hang a while etc ?
Do you have tacacs running on it ?
Are you allowing telnet as a transport on the vty lines ?
Jon
11-19-2008 09:45 AM
Well, more information.
I have radius running. When I telnet into the 172.27.1.1 address from my workstation, I get a login but my credentials don't work. If I telnet to the same address from the 172.27.1.2 router, my credentials work.
I ran nmap against that IP to see what ports were open, and it came back with 23 and 80. I tried to connect to 80, and it said "Firewall connect failed." This was a normal web server message and not a popup. I "think" that there's another device that I'm hitting, so I'm still trying to track it down.
Thanks Jon!
John
11-19-2008 10:13 AM
John
Have you checked the radius logs to see both the failed and the successful authentications ?
Jon
11-19-2008 12:07 PM
I just had a chance to do this, and the results are:
I get a log entry when I telnet from my main router to remote router.
No entry when I telnet directly to remote router.
Can you explain why I can't telnet to the 10.5.5.1 address even though I can ping it? I've never seen that before unless there was an acl applied to the line or interface.
--John
11-19-2008 12:19 PM
"Can you explain why I can't telnet to the 10.5.5.1 address even though I can ping it? I've never seen that before unless there was an acl applied to the line or interface."
Not at the moment no :-)
So when you telnet to 10.5.5.1 rather than the 172.27.1.1 address do you get asked for login credentials or does it just time out ?
Is 10.5.5.1 the primary address on that interface ?
If you don't know whether the traffic is reaching the remote router then you can use an acl ie.
access-list 101 permit tcp host
access-list 101 permit icmp host
access-list 101 permit ip any any
int fa0/1
ip access-group 101 in
at least you would then be able to tell if packets are hitting the WAN interface on the remote router.
Jon
11-19-2008 12:21 PM
LOL! I haven't tried the ACL. I'll do that now and post the results. :-)
Oh, yes, it times out by the way.
--John
11-19-2008 12:35 PM
Okay, here are the results:
I do not get a hit on the acl from my workstation to the public interface, but I do get one when I'm trying to hit the private side of 10.5.5.1. I still don't get a login prompt to the inside interface though.
--John
11-19-2008 12:41 PM
And when you ping - do you see a hit then ?
Okay so can you apply this acl outbound on the vlan interace your client is connected to
access-list 101 permit tcp any eq 23 host
access-list 101 permit icmp any host
access-list 101 permit ip any any
We should then be able to see if the remote router is returning packets to your client.
Any chance of the config of remote router.
Also any chance of temporarily disabling radius for router and then trying to telnet ?
Jon
11-19-2008 12:57 PM
Here's the latest:
I ran debugs on the router for radius:
debug radius
I then telnetted to the router from the main router and I started getting hits in the terminal window for radius "Get_User" and "Get_Passwd" etc.
I then closed out of the main router telnet session, and I telnetted from my workstation. There were no hits for radius debugs, which tells me that I'm actually hitting another device somewhere. I'm giving up on this until Friday (I've been told to), but I think I'm 100% confident that this is another device, whether it be a device in between (at the local carrier) or a device elsewhere.
Thanks Jon!
John
11-19-2008 01:10 PM
Definitely another device. I shut the interface down, and I could still ping the address. Go figure. Now I just have to find it.
--John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide