Cisco Telnet problem !?

Discussion in 'Cisco' started by Garry, Aug 9, 2004.

  1. Garry

    Garry Guest

    Hi folks,

    I've been wondering about a problem I've just noticed ... several of our
    routers - while still working perfectly fine as such (ping, routing,
    snmp etc.) - refuse to accept a telnet login and each and every IP
    address (ethernet and all ports w/ transfer IPs). Login on the console
    port still works fine, as does just about anything else I tried ...
    telnet is still dead though ...

    Is this a bug in the IOS, or just coincidence? These are three different
    machines with 4 different IOS versions ... !?

    Help appreciated, -gg
    Garry, Aug 9, 2004
    #1
    1. Advertising

  2. In article <cf7kkn$mt6$>, Garry <> wrote:

    > Hi folks,
    >
    > I've been wondering about a problem I've just noticed ... several of our
    > routers - while still working perfectly fine as such (ping, routing,
    > snmp etc.) - refuse to accept a telnet login and each and every IP
    > address (ethernet and all ports w/ transfer IPs). Login on the console
    > port still works fine, as does just about anything else I tried ...
    > telnet is still dead though ...


    What specific error do you get when you try to telnet to them. Do you
    have any packet filters configured, or "ip access-class" configured on
    the vty lines?

    Post one of the configs.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Aug 9, 2004
    #2
    1. Advertising

  3. On Mon, 09 Aug 2004 09:00:26 -0400, Barry Margolin <> wrote:

    ~ In article <cf7kkn$mt6$>, Garry <> wrote:
    ~
    ~ > Hi folks,
    ~ >
    ~ > I've been wondering about a problem I've just noticed ... several of our
    ~ > routers - while still working perfectly fine as such (ping, routing,
    ~ > snmp etc.) - refuse to accept a telnet login and each and every IP
    ~ > address (ethernet and all ports w/ transfer IPs). Login on the console
    ~ > port still works fine, as does just about anything else I tried ...
    ~ > telnet is still dead though ...
    ~
    ~ What specific error do you get when you try to telnet to them. Do you
    ~ have any packet filters configured, or "ip access-class" configured on
    ~ the vty lines?
    ~
    ~ Post one of the configs.

    If you get a "connection refused" when you try to telnet to the router,
    then you're probably just using up all your vtys, in which case you
    should configure more vtys, assuming that the software lets you.

    When this problem happens, let's also see the output of "show users"
    (which you can get from the console.)
    Aaron Leonard, Aug 10, 2004
    #3
  4. Garry

    Hansang Bae Guest

    In article <cf7kkn$mt6$>, says...
    > Hi folks,
    >
    > I've been wondering about a problem I've just noticed ... several of our
    > routers - while still working perfectly fine as such (ping, routing,
    > snmp etc.) - refuse to accept a telnet login and each and every IP
    > address (ethernet and all ports w/ transfer IPs). Login on the console
    > port still works fine, as does just about anything else I tried ...
    > telnet is still dead though ...
    >
    > Is this a bug in the IOS, or just coincidence? These are three different
    > machines with 4 different IOS versions ... !?
    >
    > Help appreciated, -gg



    Couple of ideas:

    1) All your vty's are tied up. Console in and do a "sho user" to see
    if the vty's are tied up.

    2) You can go beyond 5 vty lines if you have enterprise IOS.

    3) You are out of memory (contiguous). I've seen lower end routers
    behave this way. A reboot is required to fix it.

    I'm assuming you don't have "access-class", "lock&Key" or "auto-
    command" statements on the vtys

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Aug 10, 2004
    #4
  5. Garry

    Garry Guest

    On Mon, 09 Aug 2004 09:00:26 -0400, Barry Margolin <>
    wrote:

    > ~ What specific error do you get when you try to telnet to them. Do you


    Connection refused ...

    > ~ have any packet filters configured, or "ip access-class" configured on
    > ~ the vty lines?


    No, not yet, but I will probably set up an access list to limit it to
    certain admin machines in our network ...

    > ~ Post one of the configs.


    aaa authentication login default local radius
    [..]
    user xxx pass 7 xxxxxxxxxx
    [..]
    line vty 0 4
    exec-timeout 15 0
    !

    Same config on many machines ... and working fine until recently ...

    Aaron Leonard wrote:

    > If you get a "connection refused" when you try to telnet to the router,
    > then you're probably just using up all your vtys, in which case you
    > should configure more vtys, assuming that the software lets you.


    Doesn't seem so - I only have console access to one of the affected
    routers ATM, but it looks like this:

    > When this problem happens, let's also see the output of "show users"
    > (which you can get from the console.)


    #show user all
    Line User Host(s) Idle Location
    * 0 con 0 xxx idle 00:00:00
    1 aux 0 00:00:00
    2 vty 0 00:00:00
    3 vty 1 idle 1d18h 61.xxx.xxx.xxx
    4 vty 2 00:00:00
    5 vty 3 00:00:00
    6 vty 4 00:00:00

    The only thing funny is the vty connection, I have set up a session
    timeout, but it's still there ...

    Hansang Bae wrote:

    > 1) All your vty's are tied up. Console in and do a "sho user" to see
    > if the vty's are tied up.


    Not the problem, at least AFAICT ATM ...

    > 2) You can go beyond 5 vty lines if you have enterprise IOS.


    The one I have access to ATM doesn't have an enterprise IOS

    > 3) You are out of memory (contiguous). I've seen lower end routers
    > behave this way. A reboot is required to fix it.


    Talking about two 3640, a 7206 and a 12000 series ... the 7206 doesn't
    seem to have a memory problem ...

    Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
    Processor 60C62B80 112841856 74533576 38308280 340192 2389888
    I/O 7800000 8388608 1922984 6465624 5734508 6456060
    PCI 4B000000 1048576 394264 654312 654312 654268

    > I'm assuming you don't have "access-class", "lock&Key" or "auto-
    > command" statements on the vtys


    None of those ... see above ... I will probably reboot one of the
    machines today, and waiting for our customer to reboot the CPE router he
    has at his place, and see if the problem occurs again ... making sure I
    have syslog logging on to see whether I can find anything there in case
    it happens again ...

    Tnx, -gg
    Garry, Aug 10, 2004
    #5
  6. As we suspected, you are getting "connection refused" when you
    try to telnet in because all 5 of your VTYs are in use.

    I recommend that you find out who is using all these vtys.
    In recent IOS, "show caller full" should tell you more.
    Assuming that these VTY lines are using TCP, "show tcp"
    should help.

    If these are legitimate users then you will want to bump up
    your vtys (may need newer IOS or a better featureset.)
    If not then you might want to turn on authentication
    (even ssh if available.) Filters on who can get to your
    router (input access lists, access-class) are a good idea.

    Aaron

    ---

    ~ On Mon, 09 Aug 2004 09:00:26 -0400, Barry Margolin <>
    ~ wrote:
    ~
    ~ > ~ What specific error do you get when you try to telnet to them. Do you
    ~
    ~ Connection refused ...
    ~
    ~ > ~ have any packet filters configured, or "ip access-class" configured on
    ~ > ~ the vty lines?
    ~
    ~ No, not yet, but I will probably set up an access list to limit it to
    ~ certain admin machines in our network ...
    ~
    ~ > ~ Post one of the configs.
    ~
    ~ aaa authentication login default local radius
    ~ [..]
    ~ user xxx pass 7 xxxxxxxxxx
    ~ [..]
    ~ line vty 0 4
    ~ exec-timeout 15 0
    ~ !
    ~
    ~ Same config on many machines ... and working fine until recently ...
    ~
    ~ Aaron Leonard wrote:
    ~
    ~ > If you get a "connection refused" when you try to telnet to the router,
    ~ > then you're probably just using up all your vtys, in which case you
    ~ > should configure more vtys, assuming that the software lets you.
    ~
    ~ Doesn't seem so - I only have console access to one of the affected
    ~ routers ATM, but it looks like this:
    ~
    ~ > When this problem happens, let's also see the output of "show users"
    ~ > (which you can get from the console.)
    ~
    ~ #show user all
    ~ Line User Host(s) Idle Location
    ~ * 0 con 0 xxx idle 00:00:00
    ~ 1 aux 0 00:00:00
    ~ 2 vty 0 00:00:00
    ~ 3 vty 1 idle 1d18h 61.xxx.xxx.xxx
    ~ 4 vty 2 00:00:00
    ~ 5 vty 3 00:00:00
    ~ 6 vty 4 00:00:00
    ~
    ~ The only thing funny is the vty connection, I have set up a session
    ~ timeout, but it's still there ...
    ~
    ~ Hansang Bae wrote:
    ~
    ~ > 1) All your vty's are tied up. Console in and do a "sho user" to see
    ~ > if the vty's are tied up.
    ~
    ~ Not the problem, at least AFAICT ATM ...
    ~
    ~ > 2) You can go beyond 5 vty lines if you have enterprise IOS.
    ~
    ~ The one I have access to ATM doesn't have an enterprise IOS
    ~
    ~ > 3) You are out of memory (contiguous). I've seen lower end routers
    ~ > behave this way. A reboot is required to fix it.
    ~
    ~ Talking about two 3640, a 7206 and a 12000 series ... the 7206 doesn't
    ~ seem to have a memory problem ...
    ~
    ~ Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
    ~ Processor 60C62B80 112841856 74533576 38308280 340192 2389888
    ~ I/O 7800000 8388608 1922984 6465624 5734508 6456060
    ~ PCI 4B000000 1048576 394264 654312 654312 654268
    ~
    ~ > I'm assuming you don't have "access-class", "lock&Key" or "auto-
    ~ > command" statements on the vtys
    ~
    ~ None of those ... see above ... I will probably reboot one of the
    ~ machines today, and waiting for our customer to reboot the CPE router he
    ~ has at his place, and see if the problem occurs again ... making sure I
    ~ have syslog logging on to see whether I can find anything there in case
    ~ it happens again ...
    ~
    ~ Tnx, -gg
    Aaron Leonard, Aug 10, 2004
    #6
  7. Aaron Leonard wrote:

    > ~ #show user all
    > ~ Line User Host(s) Idle Location
    > ~ * 0 con 0 xxx idle 00:00:00
    > ~ 1 aux 0 00:00:00
    > ~ 2 vty 0 00:00:00
    > ~ 3 vty 1 idle 1d18h 61.xxx.xxx.xxx
    > ~ 4 vty 2 00:00:00
    > ~ 5 vty 3 00:00:00
    > ~ 6 vty 4 00:00:00
    > As we suspected, you are getting "connection refused" when you
    > try to telnet in because all 5 of your VTYs are in use.



    Sorry, but what are you talking about?? There was only 1 (one) open
    connection - the others were idle ... I just did a "show user all" which
    also lists the inactive vtys ... !?)

    Same thing on the other two machine that I checked today - one active,
    idle connection (idle for 1 week and 4 weeks respectively) - will check
    the loggs later on to see whether I can find any more hints ...

    -gg
    Garry Glendown, Aug 10, 2004
    #7
  8. On Tue, 10 Aug 2004 22:25:35 +0200, Garry Glendown <> wrote:

    ~ Aaron Leonard wrote:
    ~
    ~ > ~ #show user all
    ~ > ~ Line User Host(s) Idle Location
    ~ > ~ * 0 con 0 xxx idle 00:00:00
    ~ > ~ 1 aux 0 00:00:00
    ~ > ~ 2 vty 0 00:00:00
    ~ > ~ 3 vty 1 idle 1d18h 61.xxx.xxx.xxx
    ~ > ~ 4 vty 2 00:00:00
    ~ > ~ 5 vty 3 00:00:00
    ~ > ~ 6 vty 4 00:00:00
    ~ > As we suspected, you are getting "connection refused" when you
    ~ > try to telnet in because all 5 of your VTYs are in use.
    ~
    ~
    ~ Sorry, but what are you talking about?? There was only 1 (one) open
    ~ connection - the others were idle ... I just did a "show user all" which
    ~ also lists the inactive vtys ... !?)

    Oops, I missed the "all" ... I read that as "show user" and so
    assumed that all listed vtys were ones active.

    ~ Same thing on the other two machine that I checked today - one active,
    ~ idle connection (idle for 1 week and 4 weeks respectively) - will check
    ~ the loggs later on to see whether I can find any more hints ...
    ~
    ~ -gg

    So now I'm trying to think why you would get a "connection refused"
    when you try to telnet into this router ... do you get that even
    if you try to telnet in from the console? It might be good to
    have "debug ip tcp transactions" in effect. What are the applicable
    bits of the config (any input access lists and the line config?)
    Aaron Leonard, Aug 11, 2004
    #8
  9. Garry

    Garry Guest

    Aaron Leonard wrote:

    > So now I'm trying to think why you would get a "connection refused"
    > when you try to telnet into this router ... do you get that even
    > if you try to telnet in from the console? It might be good to
    > have "debug ip tcp transactions" in effect. What are the applicable
    > bits of the config (any input access lists and the line config?)


    Aug 12 10:33:06: TCP0: bad seg from xxx.xxx.xxx.66 -- No wild listener:
    seq 28050
    Aug 12 10:33:09: TCP0: bad seg from xxx.xxx.xxx.66 -- No wild listener:
    seq 28050
    Aug 12 10:33:11: TCP0: bad seg from 24.54.153.117 -- No wild listener:
    seq 41970

    No special config for the vty or access lists ... I could reboot the
    router and it would work again right away w/o any changes ... I asume
    the process taking care of the telnet service is dead ...

    -gg
    Garry, Aug 12, 2004
    #9
  10. > > So now I'm trying to think why you would get a "connection refused"
    > > when you try to telnet into this router ... do you get that even
    > > if you try to telnet in from the console? It might be good to
    > > have "debug ip tcp transactions" in effect. What are the applicable
    > > bits of the config (any input access lists and the line config?)


    > Aug 12 10:33:06: TCP0: bad seg from xxx.xxx.xxx.66 -- No wild listener:
    > seq 28050
    > Aug 12 10:33:09: TCP0: bad seg from xxx.xxx.xxx.66 -- No wild listener:
    > seq 28050
    > Aug 12 10:33:11: TCP0: bad seg from 24.54.153.117 -- No wild listener:
    > seq 41970


    > No special config for the vty or access lists ... I could reboot the
    > router and it would work again right away w/o any changes ... I asume
    > the process taking care of the telnet service is dead ...


    > -gg


    Yeah, that's definitely an IOS bug that you've got there.

    I didn't catch what IOS version you're running, but a likely
    culprit would be:

    CSCdx39953
    Externally found moderate defect: Resolved (R)
    Telnet into the router fails intermittantly

    Release-note: Modified 040308 by qddts

    2600 series routers with Cisco IOS version 12.2(3) may intermittently fail
    telnet attempts into the router. The problem is triggered by low memory.

    Workaround: There is no workaround.

    Version 12.2(3)
    Integrated in 12.2(15)BX 12.2(15)ZN 12.2(15)BZ 12.2(15)BW 12.2(15)B
    12.2(13.06)S 12.2(13.04)PI06 12.2(13.04)T 012.002(013.004)

    So if you're running an IOS version susceptible to this bug,
    (presumably any 12.2 IOS < 12.2(13.4)*), then you should consider
    upgrading. Also keep any eye out for (possibly ephemeral) memory
    shortages.

    Aaron
    Aaron Leonard, Aug 12, 2004
    #10
  11. You need to configure a password on your VTY lines before you can
    login using telnet. I noticed in your config:

    line vty 0 4
    exec-timeout 15 0
    !

    try this:

    1. config t
    2. enable secret </your enable password>
    3. line vty 0 4
    4. password </your vty password here>
    5. login

    When you try to telnet it will prompt you for a password, type the
    password you created for VTY and you should connect.

    Aaron Leonard <> wrote in message news:<>...
    > As we suspected, you are getting "connection refused" when you
    > try to telnet in because all 5 of your VTYs are in use.
    >
    > I recommend that you find out who is using all these vtys.
    > In recent IOS, "show caller full" should tell you more.
    > Assuming that these VTY lines are using TCP, "show tcp"
    > should help.
    >
    > If these are legitimate users then you will want to bump up
    > your vtys (may need newer IOS or a better featureset.)
    > If not then you might want to turn on authentication
    > (even ssh if available.) Filters on who can get to your
    > router (input access lists, access-class) are a good idea.
    >
    > Aaron
    >
    > ---
    >
    > ~ On Mon, 09 Aug 2004 09:00:26 -0400, Barry Margolin <>
    > ~ wrote:
    > ~
    > ~ > ~ What specific error do you get when you try to telnet to them. Do you
    > ~
    > ~ Connection refused ...
    > ~
    > ~ > ~ have any packet filters configured, or "ip access-class" configured on
    > ~ > ~ the vty lines?
    > ~
    > ~ No, not yet, but I will probably set up an access list to limit it to
    > ~ certain admin machines in our network ...
    > ~
    > ~ > ~ Post one of the configs.
    > ~
    > ~ aaa authentication login default local radius
    > ~ [..]
    > ~ user xxx pass 7 xxxxxxxxxx
    > ~ [..]
    > ~ line vty 0 4
    > ~ exec-timeout 15 0
    > ~ !
    > ~
    > ~ Same config on many machines ... and working fine until recently ...
    > ~
    > ~ Aaron Leonard wrote:
    > ~
    > ~ > If you get a "connection refused" when you try to telnet to the router,
    > ~ > then you're probably just using up all your vtys, in which case you
    > ~ > should configure more vtys, assuming that the software lets you.
    > ~
    > ~ Doesn't seem so - I only have console access to one of the affected
    > ~ routers ATM, but it looks like this:
    > ~
    > ~ > When this problem happens, let's also see the output of "show users"
    > ~ > (which you can get from the console.)
    > ~
    > ~ #show user all
    > ~ Line User Host(s) Idle Location
    > ~ * 0 con 0 xxx idle 00:00:00
    > ~ 1 aux 0 00:00:00
    > ~ 2 vty 0 00:00:00
    > ~ 3 vty 1 idle 1d18h 61.xxx.xxx.xxx
    > ~ 4 vty 2 00:00:00
    > ~ 5 vty 3 00:00:00
    > ~ 6 vty 4 00:00:00
    > ~
    > ~ The only thing funny is the vty connection, I have set up a session
    > ~ timeout, but it's still there ...
    > ~
    > ~ Hansang Bae wrote:
    > ~
    > ~ > 1) All your vty's are tied up. Console in and do a "sho user" to see
    > ~ > if the vty's are tied up.
    > ~
    > ~ Not the problem, at least AFAICT ATM ...
    > ~
    > ~ > 2) You can go beyond 5 vty lines if you have enterprise IOS.
    > ~
    > ~ The one I have access to ATM doesn't have an enterprise IOS
    > ~
    > ~ > 3) You are out of memory (contiguous). I've seen lower end routers
    > ~ > behave this way. A reboot is required to fix it.
    > ~
    > ~ Talking about two 3640, a 7206 and a 12000 series ... the 7206 doesn't
    > ~ seem to have a memory problem ...
    > ~
    > ~ Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
    > ~ Processor 60C62B80 112841856 74533576 38308280 340192 2389888
    > ~ I/O 7800000 8388608 1922984 6465624 5734508 6456060
    > ~ PCI 4B000000 1048576 394264 654312 654312 654268
    > ~
    > ~ > I'm assuming you don't have "access-class", "lock&Key" or "auto-
    > ~ > command" statements on the vtys
    > ~
    > ~ None of those ... see above ... I will probably reboot one of the
    > ~ machines today, and waiting for our customer to reboot the CPE router he
    > ~ has at his place, and see if the problem occurs again ... making sure I
    > ~ have syslog logging on to see whether I can find anything there in case
    > ~ it happens again ...
    > ~
    > ~ Tnx, -gg
    Anthony Swanson, Aug 14, 2004
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Fassel
    Replies:
    4
    Views:
    6,053
    Spencer Teran
    Dec 13, 2003
  2. A. Andrews

    Cisco reverse Telnet problem

    A. Andrews, Jan 15, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,461
    Hansang Bae
    Jan 21, 2004
  3. Guan Foo Wah

    Cisco PIX 515 telnet problem

    Guan Foo Wah, Jan 18, 2006, in forum: Cisco
    Replies:
    4
    Views:
    8,033
    Walter Roberson
    Jan 19, 2006
  4. Jack B. Pollack
    Replies:
    4
    Views:
    1,198
    Zaltor
    Jul 24, 2003
  5. jchun
    Replies:
    0
    Views:
    2,815
    jchun
    May 17, 2006
Loading...

Share This Page