Hi,

I have an issue with several 800 series routers.

This router was upgraded to 12.4(24)T7 and it is since this that we have started seeing the issue. It was subsequently downgraded.

router#sh ver

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)

When I turn on telnet and ssh debugging I see sessions as the arrive on the internal interface, but not externally.

router#sh deb

TCP:

  TCP Packet debugging is on for address x.x.x.x, port number 2222, incoming packets

TELNET:

  Incoming Telnet debugging is on

SSH:

  Incoming SSH debugging is on

As you can see, tcp debugging shows my external connection come in and I get a TCP reset back. x.x.x.x was my office public IP, y.y.y.y is the customer's router public IP.

Aug 13 11:34:39.957: tcp0: I LISTEN x.x.x.x:62614 y.y.y.y:2222 seq 2937972774

        OPTS 24 SYN  WIN 65535

Aug 13 11:34:39.957: TCP: sent RST to x.x.x.x:62614 from y.y.y.y:2222

It should be listening by the looks of things.

router#sh control-plane host open-ports

Active internet connections (servers and established)

Prot               Local Address             Foreign Address                  Service    State

tcp                        *:22                         *:0               SSH-Server   LISTEN

tcp                        *:23                         *:0                   Telnet   LISTEN

tcp                        *:23         192.168.0.240:33329                   Telnet ESTABLIS

tcp                      *:2222                         *:0               SSH-Server   LISTEN

tcp                      *:1723                         *:0                     PPTP   LISTEN

udp                     *:55724                         *:0                  IP SNMP   LISTEN

udp                       *:123                         *:0                      NTP   LISTEN

udp                       *:161                         *:0                  IP SNMP   LISTEN

udp                       *:162                         *:0                  IP SNMP   LISTEN

The IP y.y.y.y is negotiated with IPCP.

interface Dialer0

ip address negotiated

ip access-group 100 in

ip mtu 1492

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname user@isp.realm

ppp chap password 0 xxxxxx

router#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     y.0.0.0/32 is subnetted, 1 subnets

C       y.y.y.y is directly connected, Dialer0

     a.a.a.0/32 is subnetted, 1 subnets

C       a.a.a.a is directly connected, Dialer0

C    192.168.0.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 is directly connected, Dialer0

Access list 100 explicitly permits my office subnet, as does access list 23.

line vty 0 4

access-class 23 in

privilege level 15

login local

rotary 1

transport input all

transport output all

And rotary 1 maps to 2222.

I see the same problem with telnet and ssh (on the rotary and port 22) from outside, however inside it works without a hitch. I've tried messing with the login local and access lists to no avail. I suspect that IPCP is significant in this.

'Shaun' in this thread appears to have the exact same issue.

Many thanks to anyone who takes the time to help me with this. If you need any more info please let me know.

Regards,

Tom