[Last Call] Learn how to a build a cloud-first strategyRegister Now


BT Infinity Cisco 1841

Posted on 2011-10-25
Medium Priority
Last Modified: 2012-05-12
We have a new BT Infinity connection, fixed IP, that we are trying to get running with a Cisco 1841. (let's call this house)

We have managed to get the internet up and running and a VPN tunnel connected to it from our main campus (let's call this campus). We cannot however get the GRE tunnel to come up over the VPN tunnel and can not telnet to the wan port of the 1841 from the campus.

We put an access list on the VTY
access-list 24 permit any log
and noticed that the packet was reported as arriving at the boundary of the access list and permitted through.
At the end running telnet (campus) there was no reponse.

We can telnet out of the 1841 (house) to other houses no problem.

We have tried playing with the MTU size but this doesn't seem to make a difference.

Anyone out there have any ideas.

Question by:Jo Cox
  • 4
  • 2
LVL 18

Expert Comment

ID: 37025187
How is your VTY port configured?  Are you configured for allowing telnet inbound, have a password on the port or specify local login?

I know there's more than one way to do it, but when I do GRE and IPSec together, I usually do the GRE tunnel first, and specify in the IPSec ACL that GRE gets encrypted.  Or is that what you're describing?

Author Comment

by:Jo Cox
ID: 37030505
The VTY is configured as all my other routers that function OK.

line vty 0 4
 access-class 24 in
 exec-timeout 0 0
 password xxx

access-list 24 permit any log

I can see packets arrive at the perimeter of the ACL (see below) but the telnet session never actually opens. I have a feeling that whatever is causing this problem is also causing the VPN/GRE tunnels to fail.

*Oct 26 10:15:17.198: %SEC-6-IPACCESSLOGNP: list 24 permitted 0 ->, 1 packet
*Oct 26 10:20:17.198: %SEC-6-IPACCESSLOGNP: list 24 permitted 0 ->, 1 packet
*Oct 26 10:25:17.198: %SEC-6-IPACCESSLOGNP: list 24 permitted 0 ->, 2 packets
LVL 18

Accepted Solution

jmeggers earned 1500 total points
ID: 37045152
I believe you need a "login" statement on the VTY line to tell the router to check the password.  As in:

line vty 0 4
 password xxx

I know this is an old document, but from http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml, "...'login' is a required configuration command to enable password checking at login."

You can also take a look at http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_example09186a0080202614.shtml

There are other options based on whether you want to do authentication against AAA parameters, or against a locally configured username and password.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

by:Jo Cox
ID: 37146346
This was a weird one.
Using the BT infinty connection and just the modem they supplied, packet traces revealed that telnet communication packets were being replied from the wrong port address e.g 7 and not 23 when they arrived back at our firewall. The port address they were arriving back from was not consistent either. As a result our ASA firewall couldn't match the packets in the NAT table and eventually the connection was torn down as there was no traffic.

I eventually got this working by using the infinity hub in what it calls DMZ mode where our static WAN IP get's forwarded to the WAN port on our cisco 1841 as well as all traffic. Telnet works. VPN's however do not.

Setting a gateway on the BT inifinity system is odd as hell we get a /29 network on the wan inerface of the 1841 and looking at the BT-Hub it reports the gateway address is way outside our static /29 network and is also inconsistent so seems to change on power cycling. We get messages about recursive routing and our VPN tunnels can stay up for up to an hour but will then die and not reconnect.

Still trying to get this working. BT are worse than useless, I do not recommend this service if you are intending to use VPN's or possibly needing any sort of tech help. I am amazed at at how un-knowledgeable the BT fibre support are....please stop me before I start ranting.



Author Closing Comment

by:Jo Cox
ID: 37176045
Thanks for your efforts

Author Comment

by:Jo Cox
ID: 37838285
Jo Here
Something has changed on the BT network recently I think. All seems to be work as normal VPN's and telnet. Still using a cisco 1841

the only thing I had to make sure of was the crypto map StClare-Map was associated with the dialer interface and not the ethernet one.

Again thanks for anyones help with this

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are and 192…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question