Before to place my Qs on this

Eduardo Guerra · ‎07-04-2014

Dear sirs, yesterday i tried to login via telnet to a router 892 and router rejected connection. A few days ago i could login normally. As i remember i didn't anything in the conf. Please need some help. Also i detected some strange ICMP traffic,logged by console port. Here's the conf and below conf, some debug for ICMP

Config:

Building configuration...

Current configuration : 4563 bytes

!

! Last configuration change at 23:54:26 UTC Thu Jul 3 2014

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname RouterHQFCH

!

boot-start-marker

boot system flash:c800-universalk9-mz.SPA.153-3.M.bin

boot-end-marker

!

aqm-register-fnf

!

enable secret 4 82aZraQKBdT4NJ8KLNGZbJYw4qrCbDIsgF9OWdYlnRg

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-1580540949

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1580540949

revocation-check none

rsakeypair TP-self-signed-1580540949

!

crypto pki certificate chain TP-self-signed-1580540949

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433

30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035

34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F

E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B

5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B

0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0

0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06

03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609

2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235

52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E

B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0

4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21

23080B9D 9C5FD690 62C6B0C9 30C3AA

quit

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid C892FSP-K9 sn FTX180484TB

!

username SERVICIOS privilege 15 password 7 123806471C0F5D077B7B2A29376562

username EGUERRA privilege 15 password 7 0025571655495A085C354D

username ADMINISTRADOR privilege 15 password 7 012056140B19125C22644F1F1C1F

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

switchport access vlan 2

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

no ip address

!

interface GigabitEthernet5

no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

no ip address

!

interface GigabitEthernet8

ip address 172.16.1.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet9

ip address 172.16.2.1 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.2.2 255.255.255.0

!

interface Vlan2

ip address 192.168.100.200 255.255.255.0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip route 172.16.31.0 255.255.255.0 192.168.2.1

ip route 192.168.0.0 255.255.255.0 192.168.2.1

ip route 192.168.20.0 255.255.255.0 172.16.1.25

ip route 192.168.21.0 255.255.255.0 172.16.1.22

ip route 192.168.28.0 255.255.255.0 172.16.1.18

ip route 192.168.30.0 255.255.255.0 172.16.1.19

ip route 192.168.33.0 255.255.255.0 172.16.1.20

ip route 192.168.37.0 255.255.255.0 172.16.1.23

ip route 192.168.43.0 255.255.255.0 172.16.1.24

ip route 192.168.44.0 255.255.255.0 172.16.1.26

ip route 192.168.45.0 255.255.255.0 172.16.1.21

ip route 193.168.1.0 255.255.255.0 192.168.2.1

!

access-list 101 permit ip any any

access-list 109 permit ip 192.168.44.0 0.0.0.255 193.168.1.0 0.0.0.255

access-list 110 permit udp any any range 5000 6000

access-list 111 permit tcp any range 1 65535 any range 1 65535

access-list 111 permit udp any range 1 65535 any range 1 65535

access-list 111 deny udp any range bootps bootpc any range bootps bootpc

access-list 199 permit ip host 192.168.100.22 host 192.168.2.1

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

line con 0

password 7 0227070B05025E221D1E07180147

login

no modem enable

line aux 0

line vty 0 4

password 7 096D4D59170146115A5C0A2B2F74

login local

transport input all

!

scheduler allocate 20000 1000

!

end

RouterHQFCH#

Debug:

*Jul 3 23:49:03.760: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.19, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:03.760: ICMP: dst (172.16.1.1) port unreachable sent to 172.16.1.1

9

*Jul 3 23:49:04.256: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.20, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:04.616: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.26, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:04.616: ICMP: dst (172.16.1.1) port unreachable sent to 172.16.1.2

6

*Jul 3 23:49:04.776: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.19, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:05.272: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.20, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:05.272: ICMP: dst (172.16.1.1) port unreachable sent to 172.16.1.2

0

*Jul 3 23:49:05.616: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.26, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:05.796: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.19, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:05.796: ICMP: dst (172.16.1.1) port unreachable sent to 172.16.1.1

9

*Jul 3 23:49:06.292: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.20, to

pology BASE, dscp 0 topoid 0

*Jul 3 23:49:06.420: ICMP: dst (81.19.104.24) host unreachable sent to 172.16.1

.26

Thanks in advance

SANTHOSHKUMAR SARAVANAN · ‎07-04-2014

Hi ,

Which IP address you are using to do telnet for your router ??

HTH

Sandy

Eduardo Guerra · ‎07-04-2014

I tried from the following networks 192.168.0.0, 192.168.2.0, 172.16.1.0. No one can login. A few days before i could login from any of this Subnets

SANTHOSHKUMAR SARAVANAN · ‎07-04-2014

Hi ,

on router you have multiple interface , for which IP address (router IP address) you are trying to do telnet .

Share me following output

show ip interface brief

show ip route

interface GigabitEthernet9

ip address 172.16.2.1 255.255.255.0

interface Vlan1

ip address 192.168.2.2 255.255.255.0

!

interface Vlan2

ip address 192.168.100.200 255.255.255.0

HTH

Sandy

Eduardo Guerra · ‎07-04-2014

Marvin, I want to login via telnet from 192.168.0.0, 192.168.2.0, and 172.16.1.0. Here are the outputs:

RouterHQFCH#show ip interface brief
Interface IP-Address OK? Method Status Prot
ocol
GigabitEthernet0 unassigned YES unset up up

GigabitEthernet1 unassigned YES unset down down

GigabitEthernet2 unassigned YES unset down down

GigabitEthernet3 unassigned YES unset down down

GigabitEthernet4 unassigned YES unset down down

GigabitEthernet5 unassigned YES unset down down

GigabitEthernet6 unassigned YES unset down down

GigabitEthernet7 unassigned YES unset down down

GigabitEthernet8 172.16.1.1 YES manual up up

GigabitEthernet9 172.16.2.1 YES manual down down

Vlan1 192.168.2.2 YES NVRAM up up

Vlan2 192.168.100.200 YES NVRAM down down

RouterHQFCH#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.1.0/24 is directly connected, GigabitEthernet8
L 172.16.1.1/32 is directly connected, GigabitEthernet8
S 172.16.31.0/24 [1/0] via 192.168.2.1
S 192.168.0.0/24 [1/0] via 192.168.2.1
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan1
L 192.168.2.2/32 is directly connected, Vlan1
S 192.168.20.0/24 [1/0] via 172.16.1.25
S 192.168.21.0/24 [1/0] via 172.16.1.22
S 192.168.22.0/24 [1/0] via 172.16.1.13
S 192.168.25.0/24 [1/0] via 172.16.1.16
S 192.168.28.0/24 [1/0] via 172.16.1.18
S 192.168.29.0/24 [1/0] via 172.16.1.14
S 192.168.30.0/24 [1/0] via 172.16.1.19
S 192.168.31.0/24 [1/0] via 172.16.1.17
S 192.168.32.0/24 [1/0] via 172.16.1.12
S 192.168.33.0/24 [1/0] via 172.16.1.20
S 192.168.37.0/24 [1/0] via 172.16.1.23
S 192.168.39.0/24 [1/0] via 172.16.1.15
S 192.168.40.0/24 [1/0] via 172.16.1.11
S 192.168.43.0/24 [1/0] via 172.16.1.24
S 192.168.44.0/24 [1/0] via 172.16.1.26
S 192.168.45.0/24 [1/0] via 172.16.1.21
S 193.168.1.0/24 [1/0] via 192.168.2.1
RouterHQFCH#

SANTHOSHKUMAR SARAVANAN · ‎07-04-2014

Hi ,

I am suspecting you try to telnet on router interface which presently down 172.16.2.1 & 192.168.100.200

Telnet to router IP 172.16.1.1 & 192.168.2.2 from your LAN network 172.16.1.0/24 & from 192.168.2.0/24 . Try to ping router IP address from LAN segment to check you have proper network connectivity .

GigabitEthernet8 172.16.1.1 YES manual up up

Vlan1 192.168.2.2 YES NVRAM up up

HTH

Sandy

Eduardo Guerra · ‎07-04-2014

You are wrong, I am trying to connect to up interfaces. Look at this screenshot. My computer is connected to subnet 192.168.0.0

SANTHOSHKUMAR SARAVANAN · ‎07-04-2014

Hi ,

share me ipconfig/all from your PC

Try to telnet to IP Address 172.16.1.1 .

For 192.168.2.0 network reachability is via gigethernet 0 . How is your router and PC is connected , share me diagram if you have any

HTH

sandy

Eduardo Guerra · ‎07-04-2014

Before to place my Qs on this forum i tried to connect to that subnet also

hkkalra · ‎07-04-2014

Hi,

From the Looks of it your PC is using IP address of 192.168.0.57 with a default gateway of 192.168.0.2. And I believe 192.168.0.2 is the same device which has the IP address of 192.168.2.1. So what is this device. As your router is pointing the route for 192.168.0.0/24 towards 192.168.2.1 and make sure this device is forwarding the traffic correctly.

From your Config

**ip route 192.168.0.0 255.255.255.0 192.168.2.1**

Could be an issue on that device (192.168.2.1)

Regards,

HK

Emmanuel Valdez · ‎07-04-2014

Hi,

You have to check device 192.168.2.1 who knows the network 192.168.0.0/24, from your screenshot I could see that you have reachabitity to 192.168.2.2 but you can access by telnet so:

- Check the line vty availability, maybe all the session are not clear.

- Check duplicate IP Address, maybe there is a network device with the same IP Address.

Also maybe you can have a spoofing problem.

Regards.

Cannot log via telnet on a cisco 892