Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TELNET NOT WORKING OVER VPN

Morning

  I have a Cisco 887 which is set up with split tunneling, a VPN for remote management and a internal dhcp LAN for general web browsing. My problem is that I can't get telnet to work over the VPN. SSH access works fine but i need to be able to telnet to the device and devices behind the router. When i debig TCP Packets I get the following output:

000457: OCT 19 11:34:57 GMT0BST: TCP0: bad segment from 10.xx.xx.xxx --IDB not up:port 23 seq 1538323348 ack 0 rcvnxt 0 rcvnxt 0 rcvwnd 4128 len 0

Does anyone have any knowledge of this error or point me in the direction to look,,

Cheers

6 REPLIES

Re: TELNET NOT WORKING OVER VPN

Hi,

The crypto traffic is defined as IP traffic so either SSH or telnet are permitted since both run on top of TCP.

Do you have any VPN filters or ACLs in place that might be blocking telnet through the tunnel?

Federico.

Hall of Fame Super Silver

Re: TELNET NOT WORKING OVER VPN

Hello Steve,

in order to get better help post the configuration of the C887 just remove user/passwords and change public addresses for your safety

Hope to help

Giuseppe

New Member

Re: TELNET NOT WORKING OVER VPN

I have attached a config. We do have access lists on the VTY but they permit our private addresse

s as per our other VPN routers...

Re: TELNET NOT WORKING OVER VPN

Steve a question,

You can telnet to the router locally? (not through the VPN tunnel)?

I just want to make sure the router is accepting telnet connections fine.

Federico.

New Member

Re: TELNET NOT WORKING OVER VPN

Morning

  Yes we can telnet locally with no problem. It is just if we telnet from our works system to the internal management address we have a problem.

Re: TELNET NOT WORKING OVER VPN

Steve,

As a suggestion you can try the following...

Create an ACL and apply it to the outside interface to check the telnet packets (or use an existing ACL already applied).

ip access-list extended TEST

  permit tcp host x.x.x.x host y.y.y.y eq 23 --->  x.x.x.x is the IP of the remote VPN client and y.y.y.y the IP of the router

  permit ip any any

interface OUTSIDE_INTERFACE

  ip access-group TEST in

The above ACL is to test if telnet packets are being received by the router properly (show access-list TEST) will show the hitcounts incrementing everytime the telnet connection is attempted.

Another thing is to enable logs and check what are the related logs reported by the router related to the telnet connections.

Federico.

2455
Views
0
Helpful
6
Replies
CreatePlease login to create content