Atif is quite correct that clear line is how to terminate those telnet sessions - once the problem has developed. And his suggestion that the problem be prevented by configuring an idle timeout is what I also recommend.

Looking at the idle time of these sessions certainly suggests that someone has configured the vty lines with exec-timeout 0 0 which disables the idle timeout. This has the effect that telnet sessions may go on for a very long time - and over a period of time hung telnet sessions may make all the vty ports busy and prevent remote access to the router. While I might not go as short as Atif's suggestion of a 5 minute timeout, I believe that the vty should have some timeout (perhaps quite long - especially in a testing or development environment). A vty with no idle timeout is a problem waiting to happen.

HTH

Rick

Hi Richard,

Got the same issue recently.  I noticed that I can telnet my router after like 1 day even SSH is not accepting my password.

line vty 0 4
password 7 XXXXXXXXXXX
transport input telnet ssh
line vty 5 15
privilege level 15
password 7 XXXXXXXXXX
transport input telnet ssh

I am able to ping and it is working as usual except the telnet and SSH

Regards,

Jason

Jason

I am sorry for the delayed response but I have been on travel and it has been difficult to participate in the forum. I am not clear about a few things in what you describe. Is it that after boot the router you can access for one day and then can not access? Or is it that after boot the router you have problems in accessing it and after a day it does work?

Can you be more specific about how it is not working? I suggest that we focus first on telnet and try to figure out why it is not working. After we solve the issue for telnet it may also fix SSH and if not we can address any issues specific to SSH. When you attempt telnet (that does not work) do you get a prompt for a password? Or does the telnet attempt just hang?

HTH

Rick

Richard,

thanks for the support and reply.  I noticed this happens when 1 of my IPVPN circuit was upgraded.  Recently in my old circuit i'm using tunnel interface with DHCP on my physical interface unlike with my new link i uses my physical interface as the destination point for my IPVPN.

Workaround:

i am disconnecting my new link then i can do telnet and RRAS.

does this affect the cpu processes of my router from previous and current setup?

Jason

Jason

I am not clear what you are describing when you talk about an IPVPN circuit. But certainly a new circuit can increase cpu utilization, especially if it is encrypting traffic on the circuit as most VPNs do.

If you have problems with remote access when the circuit is connected and remote access works when the circuit is disconnected, then it certainly sounds like something about the circuit is impacting remote access. Perhaps you can post the router config and we might be able to identify what is going on;

HTH

Rick

Hi Richard,

thanks for the support.

attached here is the configuration of my router i just changed some sensitive information from my recent backup.

Regards,

Jason

Jason

Can you clarify which of the interfaces in the config is the new link?

HTH

Rick

Richard,

int Fa0/2/1 is the new link it sounds weird for me yesterday it was okay with heavy traffic load with this router and it is inconsistent error i checked the log and see this message last time.

780298: Apr 2 06:57:59.457: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory

777844: Mar 26 11:13:28.969: %SYS-2-MALLOCFAIL: Memory allocation of 32768 bytes failed from 0x601023B8, alignment 0
Pool: Processor Free: 361676 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Exec", ipl= 0, pid= 340, -Traceback= 0x6169C450 0x600F02C8 0x600F6104 0x600F68B0 0x601023C0 0x60103324 0x616E41D4 0x616E4248 0x616E42E0 0x60689934 0x616EB944 0x60693BEC 0x616E3F48 0x616AB844 0x616ABCAC 0x61707C80

so what i did I remove the link from int fa0/2/1 and clear the log that time my problem was solved....and from some time it is still happening and then I again im doing this temporary solution.

Regards,

Jason

Jason

Thank you for the additional information which is quite helpful. It shows that the real problem is really not the new link on fa0/2/1 but it a memory leak. It may be that there is something about the new link that triggers the memory leak but the real problem is the leak and not really the interface. There are several things that lead to this conclusion:

- the traceback in the output. traceback is always a sign of a software problem and is inserted in the code by Cisco to provide information which may help identify the underlying problem.

- the log message that includes SYS-2-MALLOCFAIL is an indication that the router was not able to allocate memory required to perform some function.

- the clearest indication is the message that contains due to insufficient processor memory.

Removing the new link on fa0/2/1 may provide some temporary relief, but I think you are saying that even after removing that link the error message still comes back. Reboot the router would provide some temporary relief but the error will come back at some point. The real and permanent solution would be to upgrade the code to a version that does not have this leak.

HTH

Rick

Richard,

We are happy that since yesterday we are not facing this issue to the fact that we have the same usual day to day transaction.  

I'm guessing if it is possible also that the monitoring application from telco may cause this error also?

by the way I am thinking about your suggestion about the IOS but I am afraid to do it because this model is in End-Of-Life service by Cisco itself....

Regards,

Jason Cantos

Jason

Yes the 3845 is pretty old and it may be that a code upgrade is not feasible. So this may be a problem that does not have a good solution from your point of view. It is possible that the monitoring application from Telco would cause this problem, it is possible that something about your new link might cause this problem, it is possible that other things might cause this problem. You can try to avoid these things, but it is always possible that the problem will happen again since we do not know what triggers the leak (and it is possible that more than one thing might trigger the leak).

HTH

Rick

Richard,

That is why i suggested to my manager if possible we can purchase another router to replace the existing just to make sure.  Anyway it will be a Win-Win situation if we purchase new one its either we use the new router and make the current as backup machine...since the purchase will take 4-6 weeks and we cannot afford to have this downtime.

Any suggestion so that I have an idea if I contact any local vendor Cisco partner here in our country?

Regards,

Jason 

Jason

I agree that purchase of a new router is the best solution for this issue. I am not sure what to suggest about what you do until the new router arrives. In an earlier post you seem to suggest that not using the new link improved the situation with the issue. Is that the case? Can you afford to not use the new link for some weeks?

You might also consider the possibility of scheduling periodic reboot of the router. The reboot should restore the memory lost to the leak. If you reboot about how long does it take for the issue to come back? Could you just schedule a reboot after a shorter interval?

HTH

Rick