cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
5
Helpful
10
Replies

Weird "issue"

John Blakley
VIP Alumni
VIP Alumni

I noticed today that I have a telnetting problem to one router.

This router has a route:

ip route 0.0.0.0 0.0.0.0 172.27.1.2

The interfaces on it are:

int FA0/0

10.5.5.1

10.6.5.1

int FA0/1

172.27.1.1

The router on the other end has a route to this network as:

int fa0/0

10.10.10.1

We run bgp and redistribute statics.

ip route 10.5.5.0 255.255.255.0 172.27.1.1

My L3 switch has a route to 10.5.5.0 through 10.10.10.1

The issue is this:

I can ping the 10.5.5.1 address with no problem from my workstation, but I can't telnet to it. I can't telnet to it from my L3 switch, but I can ping it. I CAN telnet from the primary router 10.10.10.1 and I CAN telnet to it from any other device that's in the bgp network.

There are no acls keeping me from telnetting to the device. I can't reverse telnet from the device into my L3 switch, but I can into the main router.

If I look at the routing table, I notice that I don't have a route to the 172.27.1.0 network in my L3 switch table, but I do have one for the internal network. I'm assuming this is the cause, but I don't understand why I can't telnet into the 10.5.5.1 router if I can ping it.

Any suggestions?

Thanks,

John

HTH, John *** Please rate all useful posts ***
10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

John

So it looks like

(10.5.5.1) fa0/0 R1 fa0/1 (172.27.1.1) -> (172.27.1.2) int ?? Main Router fa0/0 (10.10.10.1) -> L3 switch

Your L3 switch doesn't need a route for 172.27.1.0 unless you want to get to one of the 172.27.1.x addresses from the switch so that is not causing your issue.

What happens when you try and telnet - does it come straight back, hang a while etc ?

Do you have tacacs running on it ?

Are you allowing telnet as a transport on the vty lines ?

Jon

Well, more information.

I have radius running. When I telnet into the 172.27.1.1 address from my workstation, I get a login but my credentials don't work. If I telnet to the same address from the 172.27.1.2 router, my credentials work.

I ran nmap against that IP to see what ports were open, and it came back with 23 and 80. I tried to connect to 80, and it said "Firewall connect failed." This was a normal web server message and not a popup. I "think" that there's another device that I'm hitting, so I'm still trying to track it down.

Thanks Jon!

John

HTH, John *** Please rate all useful posts ***

John

Have you checked the radius logs to see both the failed and the successful authentications ?

Jon

I just had a chance to do this, and the results are:

I get a log entry when I telnet from my main router to remote router.

No entry when I telnet directly to remote router.

Can you explain why I can't telnet to the 10.5.5.1 address even though I can ping it? I've never seen that before unless there was an acl applied to the line or interface.

--John

HTH, John *** Please rate all useful posts ***

"Can you explain why I can't telnet to the 10.5.5.1 address even though I can ping it? I've never seen that before unless there was an acl applied to the line or interface."

Not at the moment no :-)

So when you telnet to 10.5.5.1 rather than the 172.27.1.1 address do you get asked for login credentials or does it just time out ?

Is 10.5.5.1 the primary address on that interface ?

If you don't know whether the traffic is reaching the remote router then you can use an acl ie.

access-list 101 permit tcp host host 10.5.5.1 eq 23

access-list 101 permit icmp host

access-list 101 permit ip any any

int fa0/1

ip access-group 101 in

at least you would then be able to tell if packets are hitting the WAN interface on the remote router.

Jon

LOL! I haven't tried the ACL. I'll do that now and post the results. :-)

Oh, yes, it times out by the way.

--John

HTH, John *** Please rate all useful posts ***

Okay, here are the results:

I do not get a hit on the acl from my workstation to the public interface, but I do get one when I'm trying to hit the private side of 10.5.5.1. I still don't get a login prompt to the inside interface though.

--John

HTH, John *** Please rate all useful posts ***

And when you ping - do you see a hit then ?

Okay so can you apply this acl outbound on the vlan interace your client is connected to

access-list 101 permit tcp any eq 23 host

access-list 101 permit icmp any host

access-list 101 permit ip any any

We should then be able to see if the remote router is returning packets to your client.

Any chance of the config of remote router.

Also any chance of temporarily disabling radius for router and then trying to telnet ?

Jon

Here's the latest:

I ran debugs on the router for radius:

debug radius

I then telnetted to the router from the main router and I started getting hits in the terminal window for radius "Get_User" and "Get_Passwd" etc.

I then closed out of the main router telnet session, and I telnetted from my workstation. There were no hits for radius debugs, which tells me that I'm actually hitting another device somewhere. I'm giving up on this until Friday (I've been told to), but I think I'm 100% confident that this is another device, whether it be a device in between (at the local carrier) or a device elsewhere.

Thanks Jon!

John

HTH, John *** Please rate all useful posts ***

Definitely another device. I shut the interface down, and I could still ping the address. Go figure. Now I just have to find it.

--John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: