08-13-2012 03:55 AM
Hi,
I have an issue with several 800 series routers.
This router was upgraded to 12.4(24)T7 and it is since this that we have started seeing the issue. It was subsequently downgraded.
router#sh ver
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)
When I turn on telnet and ssh debugging I see sessions as the arrive on the internal interface, but not externally.
router#sh deb
TCP:
TCP Packet debugging is on for address x.x.x.x, port number 2222, incoming packets
TELNET:
Incoming Telnet debugging is on
SSH:
Incoming SSH debugging is on
As you can see, tcp debugging shows my external connection come in and I get a TCP reset back. x.x.x.x was my office public IP, y.y.y.y is the customer's router public IP.
Aug 13 11:34:39.957: tcp0: I LISTEN x.x.x.x:62614 y.y.y.y:2222 seq 2937972774
OPTS 24 SYN WIN 65535
Aug 13 11:34:39.957: TCP: sent RST to x.x.x.x:62614 from y.y.y.y:2222
It should be listening by the looks of things.
router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:23 192.168.0.240:33329 Telnet ESTABLIS
tcp *:2222 *:0 SSH-Server LISTEN
tcp *:1723 *:0 PPTP LISTEN
udp *:55724 *:0 IP SNMP LISTEN
udp *:123 *:0 NTP LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
The IP y.y.y.y is negotiated with IPCP.
interface Dialer0
ip address negotiated
ip access-group 100 in
ip mtu 1492
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname user@isp.realm
ppp chap password 0 xxxxxx
router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
y.0.0.0/32 is subnetted, 1 subnets
C y.y.y.y is directly connected, Dialer0
a.a.a.0/32 is subnetted, 1 subnets
C a.a.a.a is directly connected, Dialer0
C 192.168.0.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 is directly connected, Dialer0
Access list 100 explicitly permits my office subnet, as does access list 23.
line vty 0 4
access-class 23 in
privilege level 15
login local
rotary 1
transport input all
transport output all
And rotary 1 maps to 2222.
I see the same problem with telnet and ssh (on the rotary and port 22) from outside, however inside it works without a hitch. I've tried messing with the login local and access lists to no avail. I suspect that IPCP is significant in this.
'Shaun' in this thread appears to have the exact same issue.
Many thanks to anyone who takes the time to help me with this. If you need any more info please let me know.
Regards,
Tom
Solved! Go to Solution.
09-04-2012 02:03 AM
Oleg,
I have tried your workaround in two locations and in both cases it has worked.
Hopefully Cisco will actually fix this bug in the next version of 12.4(24)T.
Thanks for your help!
Regards,
Tom
10-22-2012 04:27 AM
It is not a bug, it's unlikely to be ever 'fixed', and IOS 12.4 is not developed anymore.
05-21-2015 01:48 AM
We think this is a bug, and would like to see a bug ID so we can then check for sure which IOS releases are and are not affected.
We think it is a bug as it behaves differently, in different IOS versions.
After an IOS upgrade, you find yourself unable to telnet to the router.
We think we have seen it with:
c870-advipservicesk9-mz.124-24.T4.bin
and:
c180x-advipservicesk9-mz.150-1.M7.bin
because we're seeing it in IOS 15 the rack IOS 12.4 is end of line doesn't matter...
Neil
05-21-2015 04:12 PM
Likely you have "permit ip any" in NAT access-list. Which is not good.
01-12-2017 12:01 PM
Was this issue ever classified as a bug? Appreciate this is an old thread, but I have never come across this before until yesterday. I upgraded a 800 series router with 12.x to an 887VA with 15.3 code.
I had this exact issue where SSH was refused on the outside interface even with no ACLs on the vty lines or dialer. The only way I could permit SSH from outside was by port-forwarding the the public ip to a loopback with the ip nat inside statement on the loopback interface.
01-12-2017 12:01 PM
Does your access list for NAT include a permit any?
HTH
Rick
01-13-2017 01:18 AM
No sir,
there are some specific static nats to inside hosts and an overload statement for the dialer:
R1#sh run | in nat
ip nat inside source list 1 interface Dialer1 overload
R1#sh ip access-lists
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255
01-13-2017 06:56 AM
Thanks for clarifying that your NAT does not include a permit any. Your problem must relate to something else and I am not clear what that would be. I am glad that you found a work around.
HTH
Rick
10-22-2012 07:15 AM
Hello,
ip ssh port 2222 rotary 1
I Think this is the reason why you cannot telnet/ssh your router.
regards,
Francis
10-22-2012 01:27 AM
Thanks for this post it helps me a lot, it fixed my problem. i used extended nat so that i could access my router trough remote. thanks again
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: