Link to home
Create AccountLog in
Avatar of Khitrov
KhitrovFlag for Russian Federation

asked on

Cisco 3750 telnet ACL issue

Hello, dear Experts! I have a strange issue with my cisco 3750 with telnet connection.
I have the config, related to the telnet:

access-list 1 permit 192.168.0.165
!
line vty 0 4
 access-class 1 in
 exec-timeout 30 0
 authorization exec aaa-vty
 logging synchronous
 login authentication aaa-vty
 length 0
 transport input all
line vty 5 15
 access-class 1 in
 exec-timeout 30 0
 authorization exec aaa-vty
 logging synchronous
 login authentication aaa-vty
 transport input all
!

Also, I have the VLANs interfaces: 10.50.120.1/25 and 10.51.202.50/24
When I am connecting via telnet from 192.168.0.165 to the 10.50.120.1 all is right, but when I am connecting to 10.51.202.50 from the same 192.168.0.165 I have connection refused reply. The debug ip tcp trans output in 1st case:

*Mar  6 17:37:06.208: TCP2: state was ESTAB -> FINWAIT1 [23 -> 192.168.0.165(119
9)]
*Mar  6 17:37:06.208: TCP2: sending FIN
*Mar  6 17:37:06.745: TCP2: state was FINWAIT1 -> FINWAIT2 [23 -> 192.168.0.165(
1199)]
*Mar  6 17:37:06.753: TCP2: FIN processed
*Mar  6 17:37:06.753: TCP2: state was FINWAIT2 -> TIMEWAIT [23 -> 192.168.0.165(
1199)]
oil-camp-111-csw-02#
*Mar  6 17:37:12.508: TPA: Reserved port 0 in Transport Port Agent for TCP IP ty
pe 1
*Mar  6 17:37:12.508: TPA: Released port 0 in Transport Port Agent for TCP IP ty
pe 1 delay 240000
*Mar  6 17:37:12.508: TPA: Reserved port 23 in Transport Port Agent for TCP IP t
ype 1
*Mar  6 17:37:12.508: TCP0: state was LISTEN -> SYNRCVD [23 -> 192.168.0.165(120
3)]
*Mar  6 17:37:12.508: TCP0: tcb 63F563C connection to 192.168.0.165:1203, receiv
ed MSS 1380, MSS is 516
*Mar  6 17:37:12.508: TCP: sending SYN, seq 3863517295, ack 2104804807
*Mar  6 17:37:12.508: TCP0: Connection to 192.168.0.165:1203, advertising MSS 13
80
*Mar  6 17:37:13.045: TCP0: state was SYNRCVD -> ESTAB [23 -> 192.168.0.165(1203
)]
*Mar  6 17:37:13.045: TCB063F563C setting property TCP_TOS (1) 3BC0C9C
*Mar  6 17:37:13.045: Telnet2: 1 1 251 1
*Mar  6 17:37:13.045: TCP2: Telnet sent WILL ECHO (1)
*Mar  6 17:37:13.045: Telnet2: 2 2 251 3
*Mar  6 17:37:13.045: TCP2: Telnet sent WILL SUPPRESS-GA (3)
*Mar  6 17:37:13.053: Telnet2: 80000 80000 253 24
*Mar  6 17:37:13.053: TCP2: Telnet sent DO TTY-TYPE (24)
*Mar  6 17:37:13.053: Telnet2: 10000000 10000000 253 31
*Mar  6 17:37:13.053: TCP2: Telnet sent DO WINDOW-SIZE (31)
*Mar  6 17:37:13.590: TCP2: Telnet received DO ECHO (1)
oil-camp-111-csw-02#
*Mar  6 17:37:13.590: TCP2: Telnet received DO SUPPRESS-GA (3)
*Mar  6 17:37:13.590: TCP2: Telnet received WILL TTY-TYPE (24)
*Mar  6 17:37:13.590: Telnet2: Sent SB 24 1
*Mar  6 17:37:13.590: TCP2: Telnet received WILL WINDOW-SIZE (31)
*Mar  6 17:37:13.598: Telnet2: recv SB NAWS 80 30
*Mar  6 17:37:14.135: Telnet2: recv SB 24 0 ANSI

And in the case 2:

*Mar  6 17:38:15.783: TCP: sending RST, seq 0, ack 2039015361
*Mar  6 17:38:15.783: TCP: sent RST to 192.168.0.165:1206 from 10.51.202.50:23
*Mar  6 17:38:16.865: TCP: sending RST, seq 0, ack 2444947423
*Mar  6 17:38:16.865: TCP: sent RST to 192.168.0.165:1206 from 10.51.202.50:23
*Mar  6 17:38:17.847: TCP: sending RST, seq 0, ack 1486918094
*Mar  6 17:38:17.847: TCP: sent RST to 192.168.0.165:1206 from 10.51.202.50:23

The show line

oil-camp-111-csw-02#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
     0 CTY              -    -      -    -    -      0       0     0/0       -
*    1 VTY              -    -      -    -    1     23       0     0/0       -
     2 VTY              -    -      -    -    1      8       0     0/0       -
     3 VTY              -    -      -    -    1      0       0     0/0       -
     4 VTY              -    -      -    -    1      0       0     0/0       -
     5 VTY              -    -      -    -    1      0       0     0/0       -
     6 VTY              -    -      -    -    1      0       0     0/0       -
     7 VTY              -    -      -    -    1      0       0     0/0       -
     8 VTY              -    -      -    -    1      0       0     0/0       -
     9 VTY              -    -      -    -    1      0       0     0/0       -
    10 VTY              -    -      -    -    1      0       0     0/0       -
    11 VTY              -    -      -    -    1      0       0     0/0       -
    12 VTY              -    -      -    -    1      0       0     0/0       -
    13 VTY              -    -      -    -    1      0       0     0/0       -
    14 VTY              -    -      -    -    1      0       0     0/0       -
    15 VTY              -    -      -    -    1      0       0     0/0       -
    16 VTY              -    -      -    -    1      0       0     0/0       -

The show ver:

Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 04:49 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02D00000

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE
 (fc1)

oil-camp-111-csw-02 uptime is 5 days, 17 hours, 39 minutes
System returned to ROM by power-on
System image file is "flash:/c3750.bin"

cisco WS-C3750G-24TS (PowerPC405) processor (revision M0) with 131072K bytes of
memory.
Processor board ID CAT1043RJVZ
Last reset from power-on
6 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:19:E8:36:02:80
Motherboard assembly number     : 73-7058-13
Power supply part number        : 341-0045-01
Motherboard serial number       : CAT104260JK
Power supply serial number      : PHI1030L062
Model revision number           : M0
Motherboard revision number     : C0
Model number                    : WS-C3750G-24TS-E
System serial number            : CAT1043RJVZ
Hardware Board Revision Number  : 0x09


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 28    WS-C3750G-24TS     12.2(53)SE2           C3750-IPSERVICES-M
     2 28    WS-C3750G-24TS     12.2(53)SE2           C3750-IPSERVICES-M


Switch 02
---------
Switch Uptime                   : 5 days, 17 hours, 39 minutes
Base ethernet MAC Address       : 00:19:E8:48:F4:00
Motherboard assembly number     : 73-7058-13
Power supply part number        : 341-0045-01
Motherboard serial number       : CAT104260KJ
Power supply serial number      : PHI1030L0RZ
Model revision number           : M0
Motherboard revision number     : C0
Model number                    : WS-C3750G-24TS-E
System serial number            : CAT1043RJWN

Configuration register is 0xF

PLEASE HELP ME, SOS! I Have no idea anything to do :-(
Avatar of Garry Glendown
Garry Glendown
Flag of Germany image

Does access work without the access-class in the VTY? Some Cisco switches only allow access to one primary VLAN (though they also only allow one IP to be configured), don't have a 3750 available ATM to test myself ...
Also, what do the routes look like? After all, you're trying to connect from a L3 address which is not directly connected, so the switch may complain about receiving traffic on one vlan that needs to be answered via the other ... even if it works, I'd want to check my network layout and see if it can't be changed to some more deterministic ;)
Avatar of pergr
pergr

Adding to Garry-G, what if you activate "ip routing"?
Can you also check if there are ACL's in the VLAN?
Avatar of Khitrov

ASKER

Dear collegues! ip routing is activated, and there is no ACLs in VLANs. Also, if you will accurately look at the log:

Mar  6 17:38:15.783: TCP: sending RST, seq 0, ack 2039015361
*Mar  6 17:38:15.783: TCP: sent RST to 192.168.0.165:1206 from 10.51.202.50:23

It means that my packets successful achives the switch, but for an unclear reason it sends RST to the telnet client.
What does the routing table look like? Why would the same source IP arrive over different VLANs? What if you remove the access-class from the line vty?
Avatar of Khitrov

ASKER

the IP 10.50.120.1 in the VLAN 120, no VRF, in the route table only one route:
0.0.0.0 0.0.0.0 10.50.203.2 (and the connected network 10.50.120.1 and the 10.50.203.0/30), and the 10.51.203.50 in the VRF mgmt_in, the route table for this VRF is 0.0.0.0 0.0.0.0 10.51.202.2 (and the connected network 10.51.202.0/24). If I remove the access-map "the song remains the same".
Your mean that telnet access work in one VRF, but not in the other VRF?

I assume it is supposed to be that way.
Avatar of Khitrov

ASKER

Your mean that telnet access work in one VRF, but not in the other VRF?
 - Yes, absolutely.
ASKER CERTIFIED SOLUTION
Avatar of pergr
pergr

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
'nuff said ... guess mentioning you had VRFs (or even better, posting the config minus auth info) would have made it a bit easier to help you ...