3550 telnet issue

ashley_dew · ‎01-12-2009

Hi,

I have an issue with a Cisco Catalyst 3550 and some Cisco Catalyst 2950.

I have a DMZ station behind an ASA 5510 which I am telnetting the switches.

Sometimes I get telnet access, sometimes it does not work. I can ping the latter and get snmp data to these switches, its just the telnet is on and off.

I can access normally other switches 2960 and 3560G without any problem.

The switches are also synchronised in ntp with the dmz station.

Outside the DMZ, in the LAN, i can access by telnet without problem.

I can also connect with those switches via the 2960 and 3560G by telnetting in privilege mode.

In the ASA, it can only see SYN timeout.

The IOS version is 12.1(22)ea4

There is no routing issue.

The 3550 is configuring with multiple VLAN, ip routing.

wong34539 · ‎01-18-2009

It is possible to see a ACK after SYN and it happens if client and server were in a coversation and the client crashed. After reboot if it initiates a connection on the same 5tupple, the server will reply with an ACK since its connection is in establish state. When we see this ACK we cache the ACK/SEQ numbers and if we see reset from client matching the ACK/SEQ we will remove the connection.

But looks like in this case the server sent a SYN-ACK and we updated the SEQ/ACK from that packet so the RST was no longer matching. We must be dropping the SYN-ACK from server after an ACK. If you agree please open a DDTS with component tcp-norm.