Weird "issue"

Unanswered Question
Nov 19th, 2008

I noticed today that I have a telnetting problem to one router.

This router has a route:

ip route

The interfaces on it are:

int FA0/0

int FA0/1

The router on the other end has a route to this network as:

int fa0/0

We run bgp and redistribute statics.

ip route

My L3 switch has a route to through

The issue is this:

I can ping the address with no problem from my workstation, but I can't telnet to it. I can't telnet to it from my L3 switch, but I can ping it. I CAN telnet from the primary router and I CAN telnet to it from any other device that's in the bgp network.

There are no acls keeping me from telnetting to the device. I can't reverse telnet from the device into my L3 switch, but I can into the main router.

If I look at the routing table, I notice that I don't have a route to the network in my L3 switch table, but I do have one for the internal network. I'm assuming this is the cause, but I don't understand why I can't telnet into the router if I can ping it.

Any suggestions?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Wed, 11/19/2008 - 09:28


So it looks like

( fa0/0 R1 fa0/1 ( -> ( int ?? Main Router fa0/0 ( -> L3 switch

Your L3 switch doesn't need a route for unless you want to get to one of the 172.27.1.x addresses from the switch so that is not causing your issue.

What happens when you try and telnet - does it come straight back, hang a while etc ?

Do you have tacacs running on it ?

Are you allowing telnet as a transport on the vty lines ?


John Blakley Wed, 11/19/2008 - 09:45

Well, more information.

I have radius running. When I telnet into the address from my workstation, I get a login but my credentials don't work. If I telnet to the same address from the router, my credentials work.

I ran nmap against that IP to see what ports were open, and it came back with 23 and 80. I tried to connect to 80, and it said "Firewall connect failed." This was a normal web server message and not a popup. I "think" that there's another device that I'm hitting, so I'm still trying to track it down.

Thanks Jon!


Jon Marshall Wed, 11/19/2008 - 10:13


Have you checked the radius logs to see both the failed and the successful authentications ?


John Blakley Wed, 11/19/2008 - 12:07

I just had a chance to do this, and the results are:

I get a log entry when I telnet from my main router to remote router.

No entry when I telnet directly to remote router.

Can you explain why I can't telnet to the address even though I can ping it? I've never seen that before unless there was an acl applied to the line or interface.


Jon Marshall Wed, 11/19/2008 - 12:19

"Can you explain why I can't telnet to the address even though I can ping it? I've never seen that before unless there was an acl applied to the line or interface."

Not at the moment no :-)

So when you telnet to rather than the address do you get asked for login credentials or does it just time out ?

Is the primary address on that interface ?

If you don't know whether the traffic is reaching the remote router then you can use an acl ie.

access-list 101 permit tcp host host eq 23

access-list 101 permit icmp host

access-list 101 permit ip any any

int fa0/1

ip access-group 101 in

at least you would then be able to tell if packets are hitting the WAN interface on the remote router.


John Blakley Wed, 11/19/2008 - 12:21

LOL! I haven't tried the ACL. I'll do that now and post the results. :-)

Oh, yes, it times out by the way.


John Blakley Wed, 11/19/2008 - 12:35

Okay, here are the results:

I do not get a hit on the acl from my workstation to the public interface, but I do get one when I'm trying to hit the private side of I still don't get a login prompt to the inside interface though.


Jon Marshall Wed, 11/19/2008 - 12:41

And when you ping - do you see a hit then ?

Okay so can you apply this acl outbound on the vlan interace your client is connected to

access-list 101 permit tcp any eq 23 host

access-list 101 permit icmp any host

access-list 101 permit ip any any

We should then be able to see if the remote router is returning packets to your client.

Any chance of the config of remote router.

Also any chance of temporarily disabling radius for router and then trying to telnet ?


John Blakley Wed, 11/19/2008 - 12:57

Here's the latest:

I ran debugs on the router for radius:

debug radius

I then telnetted to the router from the main router and I started getting hits in the terminal window for radius "Get_User" and "Get_Passwd" etc.

I then closed out of the main router telnet session, and I telnetted from my workstation. There were no hits for radius debugs, which tells me that I'm actually hitting another device somewhere. I'm giving up on this until Friday (I've been told to), but I think I'm 100% confident that this is another device, whether it be a device in between (at the local carrier) or a device elsewhere.

Thanks Jon!


John Blakley Wed, 11/19/2008 - 13:10

Definitely another device. I shut the interface down, and I could still ping the address. Go figure. Now I just have to find it.



This Discussion