Cisco 857: Telnet session hang/terminate after one minute

Unanswered Question
Apr 29th, 2010

Hello,

we have a problem with newly installed Cisco 857w. The router is used to connect to a remote telnet server over a VPN which is not terminated at the 857. The setup looks like this:


Client Network 2 (192.168.205.0) < - > Client network (192.168.16.0/24)  <-Ethernet-> Cisco 857 (172.99.89.163) <-Ethernet-> (172.99.89.161) Cisco 801? <-VPN over SDSL -> Telnet Server

The relevant part of the network is formatted bold.

The system worked fine until we replaced an existing router with the Cisco 857. Not people connecting to the Telnet server can do so fine but when the connection becomes idle for approx. 1 min, the Telnet session hangs/gets disconnect. users need to kill the Telnet Client and need to reconnect.

I would appreciate any help.

Thank you and best regards

Sascha

This is the configuration:

yourname#term len 0
yourname#show run
Building configuration...

Current configuration : 6267 bytes
!
! Last configuration change at 12:08:16 Berlin Thu Apr 29 2010 by Celes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3796786635
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3796786635
revocation-check none
rsakeypair TP-self-signed-3796786635
!
!
crypto pki certificate chain TP-self-signed-3796786635
certificate self-signed 01
   quit
dot11 syslog
ip source-route
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
!
!
username USERNAME privilege 15 secret 5 PASSWORD
!
!
!
archive
log config
  hidekeys
!
!
!
class-map match-all telnet
description telnet
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 172.99.89.163 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
timeout absolute 60 0
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.16.238 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.99.89.161 5
ip route 192.168.205.0 255.255.255.0 192.168.16.5 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat translation udp-timeout 3600
ip nat translation dns-timeout 3600
ip nat translation icmp-timeout 3600
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.233 515 interface FastEthernet4 515
ip nat inside source static tcp 192.168.16.233 9100 interface FastEthernet4 9100
ip nat inside source list DataCenterAccess interface FastEthernet4 overload
ip nat inside source static 192.168.205.16 172.99.89.163
ip nat outside source static 172.28.99.163 192.168.205.16
!
ip access-list extended DataCenter
remark CCP_ACL Category=128
permit ip 192.168.205.0 0.0.0.255 any
ip access-list extended DataCenterAccess
remark CCP_ACL Category=2
permit ip 192.168.205.0 0.0.0.255 any
!
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 192.168.16.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
no cdp run

!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------


-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 207.46.232.182 prefer source Vlan1
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sascha.stops Tue, 05/04/2010 - 04:09

Thank you for your replies (the same problem with SA520 and 857w).

I am focusing on the 857w now so I a reply here because neither solution worked

The solution you posted in the SA520 thread was already set to 1800.

The solution is this thread did not work because it was unable to find the commands.

However correct me if I am wrong this solution is when I connect to the Cisco router using telnet. However this is not causing any problems at all. My problem is when I am try to connect to a telnet server beyond the 857w.

Any additional ideas would be much appreciated.

Regards

Sascha

Where does the 857 router come into play?

It sounds like from your reply that your trying to establish a telnet session from a point before to a point after the router.  I.E. from your workstation to a server.

Why do you believe that the problem is from the 857?

Enable logging on the your client and see what error you get.  You can also do a packet sniffer, but your just trying to find out where the problem actually exist.

The router doesn't treat the telnet traffic it is passing thru any differently than it would other traffic.  So unless your starting or terminating the telnet session from the 857 the router is likely not the source.  If it was then you would see other traffic issues, and those will show up on the packet sniffer.  It is more likely that a problem with the client or server exists.

sascha.stops Tue, 05/04/2010 - 05:22

Originally there was an ISA Server acting as the firewall/router which we replaced original with the SA520 and then with the Cisco 857 and that's where the problem started. Before that users never complained about the connection dropping / session hang. That's why we were looking at Ciscos for the cause.

I'll will try diagnosing with a packet sniffer though the problem is that there is no other traffic for comparison. This line is solely used for Telnet.

Regards

Sascha

ISA doesn't quite equal Router.  Depending on the previous ISA configuration several problems could exist.

The first step is to identify the error generated when traffic drops.  I suspect you will get either A) session dropped or B) terminated session.

When you removed the ISA server you also should of removed any authencication traps on the server. I.E. If the ISA server was authenticating passing a token with your session it could be a problem when you fail to provide this token.

Good luck with the logging and packet sniffing.

(edit)

another ISA issue is that your session generates a request to ISA, but since ISA is no longer around to verify your access the session is terminated.

sascha.stops Thu, 05/06/2010 - 11:47

Hello,

I am not much closer but looking throw the counters and logs in the Cisco I noticed a few thousand "Unknown protocol drops".

Another thing after your comments regard Windows Router/ISA Server vs. Cisco than came to my mind. Is it possible that there is an incompatibility on a very low layer between the Cisco 857 and the Procurve 3500yl? In the previous configuration there was nowhere a Cisco with a Procurve connect. Instead there was the server in between.

Regards

Sascha

Actions

This Discussion