Cannot telnet to router - router not generating syn-ack

Unanswered Question
Jul 23rd, 2009
User Badges:

Hi,.

Telnetting to router behind Checkpoint Firewall from our Management Server. I can ping the management ip address 192.168.247.101 from the Management server, I can do a SNMP Walk also successfull. However, when I try telnet I do not get a reply. I can see the initial request hitting the router but the router does not generate a syn-ack back to the Management server.

The management server is 19.46.240.66 and the Routers source-ip is 192.168.247.101. I do have another router that sits on the same lan and I can telnet between them so there is not a problem with the local telnet process.


What else could be wrong here?


Regards

Mary





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
maryodriscoll Thu, 07/23/2009 - 06:59
User Badges:

TestRtr#debug ip packet 161 detail

IP packet debugging is on (detailed) for access list 161

TestRtr#>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Telnet port - syn, rtr not sending syn ack back>>>>

*Jul 23 13:56:30.584: IP: tableid=0, s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101 (Loopback0), routed via RIB

*Jul 23 13:56:30.584: IP: s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101, len 48, rcvd 4

*Jul 23 13:56:30.588: TCP src=40880, dst=23, seq=1187563472, ack=0, win=24820 SYN

*Jul 23 13:56:33.944: IP: tableid=0, s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101 (Loopback0), routed via RIB

*Jul 23 13:56:33.944: IP: s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101, len 48, rcvd 4

*Jul 23 13:56:33.944: TCP src=40880, dst=23, seq=1187563472, ack=0, win=24820 SYN

*Jul 23 13:56:40.696: IP: tableid=0, s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101 (Loopback0), routed via RIB

*Jul 23 13:56:40.696: IP: s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101, len 48, rcvd 4

*Jul 23 13:56:40.696: TCP src=40880, dst=23, seq=1187563472, ack=0, win=24820 SYN

TestRtr#

TestRtr#

TestRtr#sh access-list 161

Extended IP access list 161

10 permit tcp host 19.46.240.66 host 192.168.247.101 eq telnet (14 matches)

20 permit udp host 19.46.240.66 host 192.168.247.101 eq snmp (216 matches)

30 permit udp host 192.168.247.101 eq snmp host 19.46.240.66 (216 matches)

40 permit tcp host 192.168.247.101 eq telnet host 19.46.240.66

TestRtr#


*************************************************************************************************************

TestRtr#sh access-list 161

Extended IP access list 161

10 permit tcp host 19.46.240.66 host 192.168.247.101 eq telnet (14 matches)

20 permit udp host 19.46.240.66 host 192.168.247.101 eq snmp (376 matches)

30 permit udp host 192.168.247.101 eq snmp host 19.46.240.66 (376 matches)

40 permit tcp host 192.168.247.101 eq telnet host 19.46.240.66

TestRtr#


TestRtr# <<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>


*Jul 23 14:02:35.220: %CLEAR-5-COUNTERS: Clear counter on all interfaces by vty0 (192.168.134.5)

*Jul 23 14:02:43.552: IP: tableid=0, s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101 (Loopback0), routed via RIB

*Jul 23 14:02:43.552: IP: s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101, len 64, rcvd 4

*Jul 23 14:02:43.552: UDP src=37664, dst=161

*Jul 23 14:02:43.552: IP: tableid=0, s=192.168.247.101 (local), d=19.46.240.66 (FastEthernet0/0), routed via FIB

*Jul 23 14:02:43.552: IP: s=192.168.247.101 (local), d=19.46.240.66 (FastEthernet0/0), len 332, sending

*Jul 23 14:02:43.552: UDP src=161, dst=37664

*Jul 23 14:02:43.632: IP: tableid=0, s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101 (Loopback0), routed via RIB

*Jul 23 14:02:43.632: IP: s=19.46.240.66 (FastEthernet0/0), d=192.168.247.101, len 71, rcvd 4

*Jul 23 14:02:43.632: UDP src=37664, dst=161

*Jul 23 14:02:43.632: IP: tableid=0, s=192.168.247.101 (local), d=19.46.240.66 (FastEthernet0/0), routed via FIB

*Jul 23 14:02:43.632: IP: s=192.168.247.101 (local), d=19.46.240.66 (FastEthernet0/0), len 80, sending

*Jul 23 14:02:43.632: UDP src=161, dst=37664


yagnesh_tel Thu, 07/23/2009 - 07:52
User Badges:
  • Silver, 250 points or more

Is there any ACL on vty line?

maryodriscoll Thu, 07/23/2009 - 08:16
User Badges:

No, no acl whatsoever....

line vty 0 4

exec-timeout 15 0

timeout login response 15

password 7 06015C351C480F1B0C

absolute-timeout 300

no login

transport input all

line vty 5 15

exec-timeout 15 0

timeout login response 15

password 7 06015C351C480F1B0C

absolute-timeout 300

no login

transport input all


yagnesh_tel Fri, 07/24/2009 - 09:50
User Badges:
  • Silver, 250 points or more

Only thing I can think for this behaviour is unavailability of vty line.

Could you check this using 'sh users' command.

maryodriscoll Sat, 07/25/2009 - 01:21
User Badges:

Hi

See below. Don't think its that though as I can telnet over the lan from another router. Its just from 19.46.240.66 that the requests get rejected - no ACLs' or anything. Router not generating response to Syn from the Management server?


Any other ideas before I open up a TAC call?


Test_Router#sh users

Line User Host(s) Idle Location

*322 vty 0 idle 00:00:00 192.168.134.5


Interface User Mode Idle Peer Address



Actions

This Discussion