cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1559
Views
10
Helpful
16
Replies

1841 Router Telnet & SDM quit

scottford
Level 1
Level 1

I have generally managed my routers by telnet connection to their WAN IP address. They have always been accessible by WAN or LAN address to a telnet connection. Rarely I would log in via the SDM. One of my routers suddenly is inaccessible using either method, although I can gain access to it through the console serial port. I have checked and compared show runs between routers but cannot figure out what needs to eb done to re-enable Telnet. I have verified that the HTTP server function is enabled so SDM should at least be working. Any advice would be appreciated.

1 Accepted Solution

Accepted Solutions

Hi,

You are welcomed, please keep us updated with the results.

HTH,

Mohammed Mahmoud.

View solution in original post

16 Replies 16

guruprasadr
Level 7
Level 7

HI Scott,

Can you please post the Configuration.

1. Can you check the router log & give more inputs

2. Try by rebooting the router once.

Pls Rate if Helps

Best Regards,

Guru Prasad R

Thanks for the reply. Yes I will post the configuration. I have to physically drive to the location to do get it. I will do the reboot while I am there.

FORSYTHROUTER#show run

Building configuration...

Current configuration : 2989 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname FORSYTHROUTER

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret xxx

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

--More-- no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.244.1 192.168.244.99

!

ip dhcp pool FORSYTHdhcp

network 192.168.244.0 255.255.255.0

default-router 192.168.244.3

dns-server 192.168.242.7

!

!

ip domain name yourdomain.com

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$

--More-- ip address 10.1.1.4 255.255.255.0

speed 100

full-duplex

no mop enabled

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

shutdown

!

interface FastEthernet0/0/2

shutdown

!

interface FastEthernet0/0/3

switchport access vlan 2

!

interface Vlan1

--More-- ip address 192.168.244.3 255.255.255.0

!

interface Vlan2

ip address 192.168.24.251 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route 10.8.1.0 255.255.255.0 10.1.1.2

ip route 10.251.8.0 255.255.255.0 192.168.241.1

ip route 10.251.32.0 255.255.255.0 10.1.1.2

ip route 192.168.21.0 255.255.255.0 10.1.1.1

ip route 192.168.22.0 255.255.255.0 10.1.1.2

ip route 192.168.23.0 255.255.255.0 10.1.1.3

ip route 192.168.240.0 255.255.255.0 10.1.1.3

ip route 192.168.241.0 255.255.255.0 10.1.1.2

ip route 192.168.242.0 255.255.255.0 10.1.1.1

!

ip http server

ip http access-class 23

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 23 permit 10.10.10.0 0.0.0.7

--More-- !

control-plane

!

banner login ^C

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

no username cisco

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm

--More-- -----------------------------------------------------------------------

^C

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

password xxxxxx

login local

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

password xxxxxxx

login local

transport input telnet

!

end

Hi,

I've noticed that "access-class 23" is applied to both the HTTP access and the VTY access (telnet), accordingly you must be trying to access the router using an IP in the "10.10.10.0/29" subnet, as the router will only accept this.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

I agree with Mohammed that the access class restriction is a likely source of the problem. I also notice that the vty are configured with login local which requires a locally configured user name and password. But I do not see any user names and passwords configured. I would think that this would also prevent access. Except that the console is also configured with login local. If console access works then I assume that there are parts of the config that did not get posted.

HTH

Rick

HTH

Rick

the only things i removed from the show run were statements that contained passwords.

Thanks Mohammed, i will try removing that access class on my next pass through there.

Hi,

You are welcomed, please keep us updated with the results.

HTH,

Mohammed Mahmoud.

Mohammed-

I finaly got over to that location and removed access-list 23, and as you suspected, that was the problem. I found this very odd, as that access-list has been on the router ever since I installed it, and only recently has begun denying my telnet and http access to it. Thanks so much for your helpful reply!

Scott

Thanks for the update. I am glad that you have restored access to the router. It is very odd that the access list would only recently have begun denying telnet and http access unless something has changed. Is it possible that the content of access list 23 was changed? Or is it possible that the address from which you are attempting access has changed?

HTH

Rick

HTH

Rick

Rick,

It has to have been a moment of density on my part. The only thing I can think of is that I did originally remove the access-list from the running config but did not write mem, and the router may have power cycled due to a power failure and reloaded the access list. I don't remember having to remove the access list before, but it was about 5 months ago when I installed it. This is the only reasonable explanation I can come up with. The address scheme of the router has remained the same, and I havent edited the access list for that router at all.

Thanks!

Scott

Scott

Thanks for the additional information. It is a reasonable scenario and would explain the behavior if you had removed the access list, had not saved the revised config to NVRAM, and if the router recently reloaded then it would produce exactly the symptoms that you describe.

As a solution for the problem you can either permanently remove the access list or you can re-write the access list to include the addresses from which you will initiate the access. Personally I would prefer to have the access list restricting who can access the router.

HTH

Rick

HTH

Rick

Hope you have checked the physical connection:).

Sine you are sure that http service is enabled,I dont see any other problem.

--Jaffer

Yes the physical connection is good. If it were not, the entire site would be offline.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco