RE: Loss of Telnet Capability to 6509
I had this once with a 7500 and a friend at Cisco told me this procedure. I'm not sure if it would help you though. I had an idle session in "show users" output. To clear the idle session, I typed "show tcp brief". My friend said the stuck one should be in "ESTAB" state, but the one I cleared said "LASTACK", so you can always go by the foreign address. It's better to kick people off temporarily than to have to reboot the router just to clear a stuck VTY session. To clear the session, type "clear tcp tcb ", using the hexadecimal TCB address at the beginning of the line from show tcp brief. Then check show users output to see if the session has disappeared. Diane Turley Network Engineer Xspedius Communications Co. 636-625-7178 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard J. Sears Sent: Wednesday, July 28, 2004 2:35 PM To: Jason Frisvold Cc: Nanog Subject: Re: Loss of Telnet Capability to 6509 Hi Jason, the only ACL's on the vty's are the same across my entire farm of routers and switches. And when I telnet to a box with an ACL, I get a refused connection...this one is saying that it is timing out. On Wed, 28 Jul 2004 15:33:45 -0400 "Jason Frisvold" <[EMAIL PROTECTED]> wrote: > > Do you have ACL's restricting access to the vty's? I've seen > instances where telnet ports get locked up because of port scanning > and/or attacks... > > -- > Jason Frisvold > Penteledata > > > > -Original Message- > > From: Richard J. Sears [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 28, 2004 2:54 PM > > To: Nanog > > Subject: Loss of Telnet Capability to 6509 > > > > > > > > We posted this to cisco-nsp but someone suggested posting it here as > > well... > > > > > > > > We have a 6509 running a SUP720 in IOS only mode (no cat os). > > > > At around 4am this morning, we lost our ability to telnet to > > the router. > > Running a tcpdump shows that the router never responds to the telnet > > request. > > > > All functions and interfaces on the router seem fine (bgp, > > etherchannel, > > ibgp, vtp, hsrp) and I can console into the sup with no > > problems at all, > > we just cannot telnet into it. The CPU is at around 6%. > > > > I have checked all access lists on the router, none were > > added/removed or modified on line vty that would cause this problem. > > All logging appears normal. > > > > We are running Version 12.2(17a)SX3. > > > > Anyone have a similar problem or know how to check or restart > > the telnet > > process on the router without a reload...? > > > > > > ** > > Richard J. Sears > > Vice President > > American Digital Network > > > > [EMAIL PROTECTED] > > http://www.adnc.com > > > > 858.576.4272 - Phone > > 858.427.2401 - Fax > > INOC-DBA - 6130 > > > > > > I fly because it releases my mind > > from the tyranny of petty things . . > > > > > > "Work like you don't need the money, love like you've > > never been hurt and dance like you do when nobody's watching." > > > > ** Richard J. Sears Vice President American Digital Network [EMAIL PROTECTED] http://www.adnc.com 858.576.4272 - Phone 858.427.2401 - Fax INOC-DBA - 6130 I fly because it releases my mind from the tyranny of petty things . . "Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching."
RE: Loss of Telnet Capability to 6509
>From your console connection check what you have configured under VTY - just in case someone has gone ahead and change to SSH for example. transport input # - the specific config Also what does the "show line" give you ? Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard J. Sears Sent: Wednesday, July 28, 2004 3:35 PM To: Jason Frisvold Cc: Nanog Subject: Re: Loss of Telnet Capability to 6509 Hi Jason, the only ACL's on the vty's are the same across my entire farm of routers and switches. And when I telnet to a box with an ACL, I get a refused connection...this one is saying that it is timing out. On Wed, 28 Jul 2004 15:33:45 -0400 "Jason Frisvold" <[EMAIL PROTECTED]> wrote: > > Do you have ACL's restricting access to the vty's? I've seen instances where telnet ports get locked up because of port scanning and/or attacks... > > -- > Jason Frisvold > Penteledata > > > > -Original Message- > > From: Richard J. Sears [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 28, 2004 2:54 PM > > To: Nanog > > Subject: Loss of Telnet Capability to 6509 > > > > > > > > We posted this to cisco-nsp but someone suggested posting it here as > > well... > > > > > > > > We have a 6509 running a SUP720 in IOS only mode (no cat os). > > > > At around 4am this morning, we lost our ability to telnet to > > the router. > > Running a tcpdump shows that the router never responds to the telnet > > request. > > > > All functions and interfaces on the router seem fine (bgp, > > etherchannel, > > ibgp, vtp, hsrp) and I can console into the sup with no > > problems at all, > > we just cannot telnet into it. The CPU is at around 6%. > > > > I have checked all access lists on the router, none were added/removed > > or modified on line vty that would cause this problem. All logging > > appears normal. > > > > We are running Version 12.2(17a)SX3. > > > > Anyone have a similar problem or know how to check or restart > > the telnet > > process on the router without a reload...? > > > > > > ** > > Richard J. Sears > > Vice President > > American Digital Network > > > > [EMAIL PROTECTED] > > http://www.adnc.com > > > > 858.576.4272 - Phone > > 858.427.2401 - Fax > > INOC-DBA - 6130 > > > > > > I fly because it releases my mind > > from the tyranny of petty things . . > > > > > > "Work like you don't need the money, love like you've > > never been hurt and dance like you do when nobody's > > watching." > > > > ** Richard J. Sears Vice President American Digital Network [EMAIL PROTECTED] http://www.adnc.com 858.576.4272 - Phone 858.427.2401 - Fax INOC-DBA - 6130 I fly because it releases my mind from the tyranny of petty things . . "Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching."
Re: Loss of Telnet Capability to 6509
Hi Jason, the only ACL's on the vty's are the same across my entire farm of routers and switches. And when I telnet to a box with an ACL, I get a refused connection...this one is saying that it is timing out. On Wed, 28 Jul 2004 15:33:45 -0400 "Jason Frisvold" <[EMAIL PROTECTED]> wrote: > > Do you have ACL's restricting access to the vty's? I've seen instances where telnet > ports get locked up because of port scanning and/or attacks... > > -- > Jason Frisvold > Penteledata > > > > -Original Message- > > From: Richard J. Sears [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 28, 2004 2:54 PM > > To: Nanog > > Subject: Loss of Telnet Capability to 6509 > > > > > > > > We posted this to cisco-nsp but someone suggested posting it here as > > well... > > > > > > > > We have a 6509 running a SUP720 in IOS only mode (no cat os). > > > > At around 4am this morning, we lost our ability to telnet to > > the router. > > Running a tcpdump shows that the router never responds to the telnet > > request. > > > > All functions and interfaces on the router seem fine (bgp, > > etherchannel, > > ibgp, vtp, hsrp) and I can console into the sup with no > > problems at all, > > we just cannot telnet into it. The CPU is at around 6%. > > > > I have checked all access lists on the router, none were added/removed > > or modified on line vty that would cause this problem. All logging > > appears normal. > > > > We are running Version 12.2(17a)SX3. > > > > Anyone have a similar problem or know how to check or restart > > the telnet > > process on the router without a reload...? > > > > > > ** > > Richard J. Sears > > Vice President > > American Digital Network > > > > [EMAIL PROTECTED] > > http://www.adnc.com > > > > 858.576.4272 - Phone > > 858.427.2401 - Fax > > INOC-DBA - 6130 > > > > > > I fly because it releases my mind > > from the tyranny of petty things . . > > > > > > "Work like you don't need the money, love like you've > > never been hurt and dance like you do when nobody's > > watching." > > > > ** Richard J. Sears Vice President American Digital Network [EMAIL PROTECTED] http://www.adnc.com 858.576.4272 - Phone 858.427.2401 - Fax INOC-DBA - 6130 I fly because it releases my mind from the tyranny of petty things . . "Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching."
RE: Loss of Telnet Capability to 6509
Do you have ACL's restricting access to the vty's? I've seen instances where telnet ports get locked up because of port scanning and/or attacks... -- Jason Frisvold Penteledata > -Original Message- > From: Richard J. Sears [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 28, 2004 2:54 PM > To: Nanog > Subject: Loss of Telnet Capability to 6509 > > > > We posted this to cisco-nsp but someone suggested posting it here as > well... > > > > We have a 6509 running a SUP720 in IOS only mode (no cat os). > > At around 4am this morning, we lost our ability to telnet to > the router. > Running a tcpdump shows that the router never responds to the telnet > request. > > All functions and interfaces on the router seem fine (bgp, > etherchannel, > ibgp, vtp, hsrp) and I can console into the sup with no > problems at all, > we just cannot telnet into it. The CPU is at around 6%. > > I have checked all access lists on the router, none were added/removed > or modified on line vty that would cause this problem. All logging > appears normal. > > We are running Version 12.2(17a)SX3. > > Anyone have a similar problem or know how to check or restart > the telnet > process on the router without a reload...? > > > ** > Richard J. Sears > Vice President > American Digital Network > > [EMAIL PROTECTED] > http://www.adnc.com > > 858.576.4272 - Phone > 858.427.2401 - Fax > INOC-DBA - 6130 > > > I fly because it releases my mind > from the tyranny of petty things . . > > > "Work like you don't need the money, love like you've > never been hurt and dance like you do when nobody's > watching." > >
RE: Loss of Telnet Capability to 6509
It is possible that all of the VTY session have been used up (line vty 0 4); if this is the case then a clearing (clear line vty x) of the sessions should resolve the issue. Chris C. Burton Network Engineer Walt Disney Internet Group: Network Services Smith Tower: 206.664.4131 Westin: 206.664.4833 Mobile: 425.591.4805 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact Walt Disney Internet Group at 206-664-4000. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard J. Sears Sent: Wednesday, July 28, 2004 11:54 AM To: Nanog Subject: Loss of Telnet Capability to 6509 We posted this to cisco-nsp but someone suggested posting it here as well... We have a 6509 running a SUP720 in IOS only mode (no cat os). At around 4am this morning, we lost our ability to telnet to the router. Running a tcpdump shows that the router never responds to the telnet request. All functions and interfaces on the router seem fine (bgp, etherchannel, ibgp, vtp, hsrp) and I can console into the sup with no problems at all, we just cannot telnet into it. The CPU is at around 6%. I have checked all access lists on the router, none were added/removed or modified on line vty that would cause this problem. All logging appears normal. We are running Version 12.2(17a)SX3. Anyone have a similar problem or know how to check or restart the telnet process on the router without a reload...? ** Richard J. Sears Vice President American Digital Network [EMAIL PROTECTED] http://www.adnc.com 858.576.4272 - Phone 858.427.2401 - Fax INOC-DBA - 6130 I fly because it releases my mind from the tyranny of petty things . . "Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching."
Re: Loss of Telnet Capability to 6509
Hi Robert - There is only a single connection to vty 2 (which I cannot clear) other than that, there are no other connections at all. On Wed, 28 Jul 2004 15:03:44 -0400 Robert Blayzor <[EMAIL PROTECTED]> wrote: > > Richard J. Sears wrote: > > > Anyone have a similar problem or know how to check or restart the telnet > > process on the router without a reload...? > > Isnt't here a maximum of VTY's that can be used at one time? Perhaps > that's the problem. From the console what does the swtich say if you do > a "show users" or "who" ? > > If it shows users, then there are some other connections using the VTY's > and probably not permitting any more connections. > > Try clearing the vty's if you think they are stale. > > -- > Robert Blayzor > INOC, LLC > [EMAIL PROTECTED] ** Richard J. Sears Vice President American Digital Network [EMAIL PROTECTED] http://www.adnc.com 858.576.4272 - Phone 858.427.2401 - Fax INOC-DBA - 6130 I fly because it releases my mind from the tyranny of petty things . . "Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching."
Re: Loss of Telnet Capability to 6509
Richard J. Sears wrote: Anyone have a similar problem or know how to check or restart the telnet process on the router without a reload...? Isnt't here a maximum of VTY's that can be used at one time? Perhaps that's the problem. From the console what does the swtich say if you do a "show users" or "who" ? If it shows users, then there are some other connections using the VTY's and probably not permitting any more connections. Try clearing the vty's if you think they are stale. -- Robert Blayzor INOC, LLC [EMAIL PROTECTED]
Loss of Telnet Capability to 6509
We posted this to cisco-nsp but someone suggested posting it here as well... We have a 6509 running a SUP720 in IOS only mode (no cat os). At around 4am this morning, we lost our ability to telnet to the router. Running a tcpdump shows that the router never responds to the telnet request. All functions and interfaces on the router seem fine (bgp, etherchannel, ibgp, vtp, hsrp) and I can console into the sup with no problems at all, we just cannot telnet into it. The CPU is at around 6%. I have checked all access lists on the router, none were added/removed or modified on line vty that would cause this problem. All logging appears normal. We are running Version 12.2(17a)SX3. Anyone have a similar problem or know how to check or restart the telnet process on the router without a reload...? ** Richard J. Sears Vice President American Digital Network [EMAIL PROTECTED] http://www.adnc.com 858.576.4272 - Phone 858.427.2401 - Fax INOC-DBA - 6130 I fly because it releases my mind from the tyranny of petty things . . "Work like you don't need the money, love like you've never been hurt and dance like you do when nobody's watching."
