No SSH/Telnet to Cisco 800 series router

Answered Question
Aug 13th, 2012

Hi,

I have an issue with several 800 series routers.

This router was upgraded to 12.4(24)T7 and it is since this that we have started seeing the issue. It was subsequently downgraded.

router#sh ver

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)

When I turn on telnet and ssh debugging I see sessions as the arrive on the internal interface, but not externally.

router#sh deb

TCP:

  TCP Packet debugging is on for address x.x.x.x, port number 2222, incoming packets

TELNET:

  Incoming Telnet debugging is on

SSH:

  Incoming SSH debugging is on

As you can see, tcp debugging shows my external connection come in and I get a TCP reset back. x.x.x.x was my office public IP, y.y.y.y is the customer's router public IP.

Aug 13 11:34:39.957: tcp0: I LISTEN x.x.x.x:62614 y.y.y.y:2222 seq 2937972774

        OPTS 24 SYN  WIN 65535

Aug 13 11:34:39.957: TCP: sent RST to x.x.x.x:62614 from y.y.y.y:2222

It should be listening by the looks of things.

router#sh control-plane host open-ports

Active internet connections (servers and established)

Prot               Local Address             Foreign Address                  Service    State

tcp                        *:22                         *:0               SSH-Server   LISTEN

tcp                        *:23                         *:0                   Telnet   LISTEN

tcp                        *:23         192.168.0.240:33329                   Telnet ESTABLIS

tcp                      *:2222                         *:0               SSH-Server   LISTEN

tcp                      *:1723                         *:0                     PPTP   LISTEN

udp                     *:55724                         *:0                  IP SNMP   LISTEN

udp                       *:123                         *:0                      NTP   LISTEN

udp                       *:161                         *:0                  IP SNMP   LISTEN

udp                       *:162                         *:0                  IP SNMP   LISTEN

The IP y.y.y.y is negotiated with IPCP.

interface Dialer0

ip address negotiated

ip access-group 100 in

ip mtu 1492

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname user@isp.realm

ppp chap password 0 xxxxxx

router#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     y.0.0.0/32 is subnetted, 1 subnets

C       y.y.y.y is directly connected, Dialer0

     a.a.a.0/32 is subnetted, 1 subnets

C       a.a.a.a is directly connected, Dialer0

C    192.168.0.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 is directly connected, Dialer0

Access list 100 explicitly permits my office subnet, as does access list 23.

line vty 0 4

access-class 23 in

privilege level 15

login local

rotary 1

transport input all

transport output all

And rotary 1 maps to 2222.

I see the same problem with telnet and ssh (on the rotary and port 22) from outside, however inside it works without a hitch. I've tried messing with the login local and access lists to no avail. I suspect that IPCP is significant in this.

'Shaun' in this thread appears to have the exact same issue.

Many thanks to anyone who takes the time to help me with this. If you need any more info please let me know.

Regards,

Tom

I have this problem too.
0 votes
Correct Answer by owaisberg about 2 years 11 months ago

Hi Tom.

I have identical to yours setup. All the same just no ip inspect on my routers.

Anyway, I did a workaround for that issue which works just fine. You can try that and

let me know. Idea is to create loopback interface on the router and then build a static

NAT entry from the public address to the loopback address. I did that for SSH and it

works like a charm.

Let me know if that helps.

Thanks again,

Oleg

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Paolo Bevilacqua Mon, 08/13/2012 - 05:10

Post complete config.

Note you don't need ip tcp mss'adjust on dialer. Alos not needed, ip access-group and inspect.

tom.salmon Tue, 08/14/2012 - 08:17

Current configuration : 5436 bytes

!

! Last configuration change at 11:11:24 BST Mon Aug 13 2012 by admin

! NVRAM config last updated at 11:01:33 BST Mon Aug 13 2012 by admin

!

version 12.4

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

no service password-encryption

!

hostname customer-name

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

clock save interval 24

!

!

dot11 syslog

ip source-route

!

!

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip domain name customer-name.local

ip name-server 192.168.0.100

!

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

!

!

username admin privilege 15 password 0 password

username userb password 0 1

username userc password 0 2

username userd password 0 3

username usere password 0 4

username userf password 0 5

username userg password 0 6

username userh password 0 7

username useri password 0 8

username userj password 0 9

username userk password 0 0

username userl password 0 -

username userm password 0 =

!

!

!

archive

log config

  hidekeys

!

!

ip ssh port 2222 rotary 1

ip ssh source-interface Dialer0

!

!

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly

peer default ip address pool dialin

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap-v2 ms-chap

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Dialer0

ip address negotiated

ip access-group 100 in

ip mtu 1492

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname user@isp.realm

ppp chap password 0 password

!

ip local pool dialin 192.168.0.240 192.168.0.250

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.240 25 y.y.y.y 25 extendable

ip nat inside source static tcp 192.168.0.240 80 y.y.y.y 80 extendable

ip nat inside source static tcp 192.168.0.240 110 y.y.y.y 110 extendable

ip nat inside source static tcp 192.168.0.240 443 y.y.y.y 443 extendable

ip nat inside source static tcp 192.168.0.100 3389 y.y.y.y 3389 extendable

ip nat inside source static tcp 192.168.0.28 3389 y.y.y.y 3390 extendable

ip nat inside source static tcp 192.168.0.33 3389 y.y.y.y 3391 extendable

ip nat inside source static tcp 192.168.0.2 3389 y.y.y.y 3392 extendable

ip nat inside source static tcp 192.168.0.240 3389 y.y.y.y 3395 extendable

!

logging trap debugging

logging origin-id hostname

logging x.x.x.x

access-list 23 permit 192.168.0.0 0.0.0.255

access-list 23 permit a.b.c.d 0.0.0.63

access-list 23 permit e.f.g.h 0.0.0.7

access-list 23 permit i.j.k.l 0.0.0.127

access-list 25 permit x.x.x.x 0.0.0.127

access-list 100 permit tcp host x.x.x.1 any eq telnet

access-list 100 permit tcp any host y.y.y.y eq 3390

access-list 100 permit tcp any host y.y.y.y eq 3391

access-list 100 permit tcp any host y.y.y.y eq www

access-list 100 permit tcp any host y.y.y.y eq 443

access-list 100 permit tcp any host y.y.y.y eq smtp

access-list 100 permit tcp any host y.y.y.y eq pop3

access-list 100 permit tcp any host y.y.y.y eq 1723

access-list 100 permit gre any any

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any host y.y.y.y echo-reply

access-list 100 permit icmp any host y.y.y.y time-exceeded

access-list 100 permit icmp any host y.y.y.y unreachable

access-list 100 permit ip e.f.g.h 0.0.0.7 any

access-list 100 permit ip a.b.c.d 0.0.0.63 any

access-list 100 permit udp any host y.y.y.y eq ntp

access-list 100 permit ip e.f.g.1 0.0.0.7 any

access-list 100 permit ip x.x.x.x 0.0.0.127 any

access-list 100 deny   ip any any

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

!

!

!

snmp-server community public RO 25

snmp-server ifindex persist

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

rotary 1

transport input all

transport output all

!

scheduler max-task-time 5000

ntp server 192.43.244.18

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Thanks Paolo,

Hope this helps.

Regards,

Tom

tom.salmon Wed, 08/15/2012 - 05:01

I have tried that and it doesn't resolve the issue. We nee the access list on the dialer as we wish to restrict access to some devices to certain subnets. Our subnet has an allow rule in the access list and this definitely works.

I have also tried removing list 23 from the vty but, again, this has had no impact on the issue.

Paolo Bevilacqua Wed, 08/15/2012 - 13:34

Just to clarify, even if that does not resovle, consider that when you have NAT, it's impossible for externa packets to come in unless a translation had been created from inside. That is why ACL is not needed.

Anyway., another cause can be the rotary statement, try removing it.

tom.salmon Thu, 08/16/2012 - 02:46

Hi Paolo,

My concern is due to the static NAT translations which port forward to servers. In particular, I have seen brute force attacks on Microsoft remote desktop which is why I firewall these to only permit trusted subnets.

I've tried removing the rotary but this has made no improvement. It was only added during the troubleshooting process.

Thanks for your patience.

Regards,

Tom

jpvh12345 Sun, 08/19/2012 - 15:34

Have you tried taking the access-class off the vtys?

Sent from Cisco Technical Support iPad App

owaisberg Mon, 08/20/2012 - 19:46

Hi Tom,

Seems like an IOS issue because I have the same problem on c1841 after did an upgrade from my c1751

where the same config worked perfectly. As soon as I went to c1841 I get this problem, and again...config

is virtually identical. I keep digging and let you know if I find the fix.

Thanks again,

Oleg

tom.salmon Tue, 08/21/2012 - 01:09

Hi Oleg,

Do you get an IP by IPCP? I can't test with a static IP on my dialer as the router is on a customer site and I can't cause disruption. I'm going to get out a spare 877 and try the config on that. If it exhibitsthe same issue I'll try using a static IP and see if that helps.

Regards,

Tom

Correct Answer
owaisberg Tue, 08/21/2012 - 07:09

Hi Tom.

I have identical to yours setup. All the same just no ip inspect on my routers.

Anyway, I did a workaround for that issue which works just fine. You can try that and

let me know. Idea is to create loopback interface on the router and then build a static

NAT entry from the public address to the loopback address. I did that for SSH and it

works like a charm.

Let me know if that helps.

Thanks again,

Oleg

Richard Burts Wed, 08/22/2012 - 21:58

I have seen this problem before. When you specify NAT with an extended access list which includes permit any it impacts remote access. The solution is simple. Since your access list is only specifying the source address and permit destination any then you can easily rewrite it as a standard access list. I suggest that you rewrite access list 102 as access list 2 specifying the same source network and then use it in your NAT configuration.

HTH

Rick

Sent from Cisco Technical Support iPad App

owaisberg Wed, 08/22/2012 - 22:09

Rick,

Thanks for your reply. In fact I did try to play with an ACLs flipping them to standard and

it had no effect - Telnet and SSH still were treated the same with TCP RST sent back to

the initiator. As I mentioned, the workaround I implemented provides what I needed, so I

can think of that case as closed. Not sure about Tom if he tried that or not or found other

solution.

Thanks again,

Oleg

tom.salmon Tue, 09/04/2012 - 02:03

Oleg,

I have tried your workaround in two locations and in both cases it has worked.

Hopefully Cisco will actually fix this bug in the next version of 12.4(24)T.

Thanks for your help!

Regards,

Tom

Paolo Bevilacqua Mon, 10/22/2012 - 04:27

It is not a bug, it's unlikely to be ever 'fixed', and IOS 12.4 is not developed anymore.

converged Thu, 05/21/2015 - 01:48

We think this is a bug, and would like to see a bug ID so we can then check for sure which IOS releases are and are not affected.

 

We think it is a bug as it behaves differently, in different IOS versions.

 

After an IOS upgrade, you find yourself unable to telnet to the router.

 

We think we have seen it with:

c870-advipservicesk9-mz.124-24.T4.bin

and:

c180x-advipservicesk9-mz.150-1.M7.bin

 

because we're seeing it in IOS 15 the rack IOS 12.4 is end of line doesn't matter...

 

Neil

francisgamo Mon, 10/22/2012 - 07:15

Hello,

ip ssh port 2222 rotary 1

I Think this is the reason why you cannot telnet/ssh your router.

regards,

Francis

francisgamo Mon, 10/22/2012 - 01:27

Thanks for this post it helps me a lot, it fixed my problem. i used extended nat so that i could access my router trough remote. thanks again

Actions

This Discussion

Related Content