Cisco VTY Session Question

Similar Messages

• Cannot kill vty sessions

  Hi ,
  yesterday I've added my core switch (WS-C4507R+E) to our Cisco Prime infrastructure server to perform some tests. This morning  I've noticed that  many vty sessions have been opened by the Prime server and I was trying to close them but I'm not able to close them.
  SW-CORE-1#who
      Line       User       Host(s)              Idle       Location
  *  1 vty 0     user1 idle                 00:00:00 10.159.240.24
     2 vty 1     user1 idle                 18:22:52 10.162.2.13
     3 vty 2     user1 idle                 18:20:51 10.162.2.13
     4 vty 3     user1 idle                 18:18:50 10.162.2.13
     5 vty 4     user1 idle                 18:16:49 10.162.2.13
     6 vty 5     user1 idle                 18:14:03 10.162.2.13
     7 vty 6     user1 idle                 18:12:03 10.162.2.13
     8 vty 7     user1 idle                 17:56:33 10.162.2.13
     9 vty 8     user1 idle                 18:08:15 10.162.2.13
    10 vty 9     user1 idle                 17:54:32 10.162.2.13
    11 vty 10    user1 idle                 17:52:31 10.162.2.13
    12 vty 11    user1 idle                 17:50:31 10.162.2.13
    13 vty 12    user1 idle                 17:47:45 10.162.2.13
    14 vty 13    user1 idle                 17:45:44 10.162.2.13
    Interface    User               Mode         Idle     Peer Address
  SWPIL138P4#clear line vty 1
  [confirm]
   [OK]
  SW-CORE-1#who
      Line       User       Host(s)              Idle       Location
  *  1 vty 0     user1 idle                 00:00:00 10.159.240.24
     2 vty 1     user1 idle                 18:24:07 10.162.2.13
     3 vty 2     user1 idle                 18:22:06 10.162.2.13
     4 vty 3     user1 idle                 18:20:05 10.162.2.13
     5 vty 4     user1 idle                 18:18:04 10.162.2.13
     6 vty 5     user1 idle                 18:15:19 10.162.2.13
     7 vty 6     user1 idle                 18:13:18 10.162.2.13
     8 vty 7     user1 idle                 17:57:48 10.162.2.13
     9 vty 8     user1 idle                 18:09:31 10.162.2.13
    10 vty 9     user1 idle                 17:55:47 10.162.2.13
    11 vty 10    user1 idle                 17:53:47 10.162.2.13
    12 vty 11    user1 idle                 17:51:46 10.162.2.13
    13 vty 12    user1 idle                 17:49:00 10.162.2.13
    14 vty 13    user1 idle                 17:46:59 10.162.2.13
    Interface    User               Mode         Idle     Peer Address
  I cleared the respective TCP Session using the command : clear tcp tcb XXXXXX but I can't kill the vty session.
  I've also removed the switch form the Cisco Prime device inventory.
  The switch is a Catalyst C4507R+E with the following  IOS-XE  cat4500e-universalk9.SPA.03.05.01.E.152-1.E1.bin
  Do you have any ideas? A bug software?
  thanks
  F.Coppotelli

  Hi ,
  Issue this command,
  show line
  Clear line 1
  Clear line 2
  Please let me know if this work
  BR // Sanjay

• Security/session questions

  Hi,
  I have some security/session questions for you guys.
  My application uses flex, blazeds and spring. I use RemoteObjects to initiate calls from flex to java. The application consists of a login screen and 'other screens' available only to authenticated users after login. When the user logs in the server stores user credentials on the FlexContext (FlexContext.getFlexSession().setAttribute). So if the server timeout is reached and the user presses 'refresh' the user is thrown out and the login screen appears.
  Question 1: How can I check if the timeout is reached when the user makes a call to the server, without checking manually against the FlexContext. Are there any config parameters to set?
  Question 2: Is it necesssary to check against the user credentials in the session for every flex-to-server call? (I guess someone can omit the login screen and do a manual call)
  Question 3: If the answer to question 2 is yes, how can I check against the session credentials? The only way I can think of is calling a method which checks the session attribute manually, but then I have to remember to add this method call to each of the methods called from flex through Blazeds. Is it, for example, possible to call the user-logged-in method before the method given in the RemoteObject is called? (If not authenticated, do not run method).
  Hope someone got the time to help me out.

  I appreciate your answer, but as you yourself write, I think there must be a blazeDS way. But as nobody with extensive BlazeDS knowledge answers this post, I probably have to google this topic even more.
  Following are the main changes in my application: (Introducing spring security)
  Everything seems to be working as it should. But as already stated, I'm a newbie. So if anybody see something suspicious, let me know.
  The main problem I had implementing Spring Security was something that should be easy, but somehow it was not: the loading of the context files. Before introducing the spring security I only had one application-context file, and this was loaded by the DispatcherServlet. When introducing security I tried to add this to the same file. It did not work. Then I tried splitting up the files, and loading both using DispatcherServlet. It did not work. Then I tried loading both using ContextLoaderListener. It did not work. Finally I found the solution. Flex settings must be loaded by the DispatcherServlet, and spring security settings must be loaded by ContextLoaderListener. This work. I don't know if this is the only solution.
  On the server:
  web-xml:
  <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>
              /WEB-INF/config/web-application-config.xml
              /WEB-INF/config/web-application-security.xml
          </param-value>
      </context-param>
      <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <servlet>
          <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
          <init-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>/WEB-INF/config/flex-application-config.xml</param-value>
          </init-param>
          <load-on-startup>1</load-on-startup>
      </servlet>
  flex-application-context:
  <flex:message-broker>
          <flex:secured/>
      </flex:message-broker>
  web-application-context:
  I had to implement my own authentication mechanism. Had to compare the username/password against an object attribute. So this bean is not mandatory, but I think you have to write down username/password/role in flex-application-context if not provided.
  <bean id="customAuthenticationProvider" class="packagename.CustomAuthenticationProvider">
          <security:custom-authentication-provider/>  
  </bean>
  web-application-security:
  <http entry-point-ref="preAuthenticatedEntryPoint" />
      <beans:bean id="preAuthenticatedEntryPoint"
          class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint " />
      <!-- Securing the service layer -->
      <global-method-security>
          <protect-pointcut expression="execution(*package.ServiceImpl.*(..))" access="ROLE_USER"/>
      </global-method-security>
  On the client:
  private function login():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken;
      token = cs.login(username, password);
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(loginResultHandler, loginFaultHandler));
  private function logout():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken = cs.logout();
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(logoutResultHandler, logoutResultHandler));

• The VTY sessions are set for SSH, is telnet still open?

  I'm in the process of enabling SSH on all of my routers, switches and firewalls.  After upgrading the IOS to one that supports SSH, generating the crypto key and then setting all of the VTY sessions to SSH only, my security team informs me that telnet is still vulnerable to IP spoofing.  They can demonstrate that when they launch a telnet session to one of my routers, the telnet session will pause for maybe 2 seconds before receivign the message that the session was terminated by the router.  They claim this indicates that the router is responding to the telnet session and before the actual disconnect is forced they could IP spoof the box and cause a DOS.
  I say boulderdash but without any proof I am forced to create a bunch of ACL's to specifically deny telnet.  Here is an example of my VTY's:
  line vty 0 4
  access-class 23 in
  exec-timeout 30 0
  password 7 xxxxxxxxxxxxx
  logging synchronous
  transport preferred ssh
  transport input ssh
  transport output ssh
  *The access list here is limiting access from a certain internal set of IP's.
  Any thoughts?

  Marcos,
  Thank you for your time on this.  I believe I have found and corrected my issue.  In my first post I showed what the vty 0 4 sessions were set as.  What I failed to show was that the "vty 5 15" sessions were only set to "no exec".  So what was happening is that when I would telnet to the router, the session attempt would either walk down the list of VTY sessions looking for an open port or the router just bypassed the ones that were set for SSH and tried the first VTY port that was set for no exec.  This would allow for the telnet session to attempt to open but because the router was not allowing access to the command line interpreter, the router would reject the session attempt.
  To correct this I simply set up all of my VTY sessions the same way, transport SSH in & transport SSH out.  The next attempt closed the telnet session immediately.  I still maintain there is no need for additional access-lists as I'm trying to keep my processor's free from any additional load to allow them to process the payload traffic as efficiently as possible.
  If anyone has any best practices they would care to leave here, I would be interested.
  Sam

• Time Capsule Occassionally Reboots During Cisco VPN Sessions

  I have a Time Capsule and an AirPort Extreme Base Station in a Wireless Distribution System (WDS) configuration at my home. The Time Capsule is connected to the DSL Modem. The devices work without issue the vast majority of the time.
  However, I have noticed that occassionally, and seemingly randomly, my Time Capsule will reboot whenever I have a Windows desktop client Cisco VPN session established through the device and back to my workplace's remote access VPN concentrators. It occurs often enough for me to correlate it with the VPN sessions, but not often enough that I can create the steps to reproduce the failure. However, ancedotally, I would say that it occurs about once for every 2 hours or so of actual VPN useage (not that I'm saying it's time or duration based, but rather to give some scale to the occurance). It is very annoying as I have to wait for the Time Capsule to reboot, for my wireless connectivity to re-establish, and thereafter to re-establish the VPN session and any further office connectivity (ie, exchange, filesshares, sharepoint, etc.).
  I was curious if anyone else has experienced this problem, as I didn't readily find any other comments on the discussions forums. I'm not at home at the moment, so I can't confirm exact revisions, but this problem occurred both with the prior firmware as well as the most recent firmware which was just upgraded on the device in the past few weeks (I was hoping the new firmware might have resolved the issue, but it apparently did not).

  two suggestions:
  1) make sure the firmware is current
  2) can you disable WDS temporarily to see if it's WDS related?

• Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet

  Dear community,
  quite frequently I am now receiving the following error message in my ASA 5502's log:
  Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  The VPN Clients (in the last case: A linux vpnc) disconnect with message
     vpnc[7736]: connection terminated by dead peer detection
  The ASA reports for that <some_ip> at around the same time:
  Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested    
  A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
     1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
         crippled (I d suppose this happens during rekeying) ?
     2) Any idea where to look for the cause of this
            WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
            SW related (vpnc bug)?
  Thanks in advance for any pointer...
  Joachim

  Yes.  You need to eliminate the things I've said to eliminate with the other side.  Ensure your configs are matching exactly.  They probably are, whatever, just make sure of it because it's easy.  You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
  The more info you can have just one person responsible for the better.  What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
  If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
  If you're seeing them come in his interface and never come back out, you know where to look.
  Set your caps to a single host to single host if need be, and generate traffic accordingly.
  You need to narrow down where NOT to look so that you know where TO look.  I would say then, and only then, do you get the ISP involved.  Once you're sure the problem exists between his edge device and your edge device.
  I do exactly this for a living on a daily basis...day after day after day.  I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions.  I always start the exact same way...from the very bottom.

• Session question; best practice

  Hi,
  One of our high profile application's queries/updates are served to user sessions. But we wanted to improve user query performance and reduce general database activity.
  This piece of application cause an auto refresh to execute every 60 seconds. These queries execute against order tables looking for statuses on active orders, are user specific, and in some cases are not optimally tuned producing very high database buffer get and disk read activity. On average, 1,500 executions representing various flavors of these queries are executed hourly.
  my questions are:
  1) how can we get max performance ?
  2) can we cache these queries for like every 30 secs ?
  3) how can we cache ? so that user sessions would access the cache.
  -sharma

  well, you could load the data and put it in the application scope (in memory) with a timeout time so that it's not used after however long, in which case, a request would have to go to get the newer data from the DB.

• More session questions

  Enumeration e = session.getAttributeNames(); String key, value;
  while( e.hasMoreElements() ) {
  key = (String) e.nextElement();
  value = (String) s.getAttribute( key );
  out.print( key + value );
  I'm not familiar with (String) usage, lines 3,4.
  It's obvious what's happening, though. My questions follow.
  1.) Why is the reserved word String in parentheses?
  2.) What other reserved words could I use in its place?
  3.) By deleting it, error says it found Object but required String.
  In earlier code, I defined it as a String. What gives?
  thanks,
  [email protected]

  the syntax (String) is called a CAST - it converts the 'type' of an object from one type to another.
  in this case it's converting from the type Object to type String - this is basic Object talk - read any beginning
  book on OO/Java and get a better understanding.
  one must cast the object returned from the enumeration to a more usefull type - but you may find
  that the code has run time errors - if the enumeration has other than Strings in it - for example
  one could put a Boolean object in the enumeration and casting to a String will give a class cast exception
  at run time.

• Cisco Call Manager Question

  Hi,
  I have a quick question on the Cisco Call Manger.  Is it possible to have a Cisco call manager store a list of contacts, and then transfer all the list to any phone that registers to it?  Furthermore, if this is possible, will the contacts be stored in the phones volatile or nonvolatile memory?
  Thanks!
  Billy

  in call manager the directory list can be search by ip phones
  the rource is from the end users page/settings
  these details are either entered manually by system admin
  or can be automatic when you integrate with LDAP like Microsoft AD
  HTH

• ODI database connection - session question

  Hi,
  I have a package, where I have used a procedure.
  In my procedure, I open a database connection.
  My question is - In my next procedure - will I be able to use my same database connection which I created in previous step?
  Re-phrasing the question - for any number of database transaction happening in a package, will ODI opens multiple database connection per step or will there be only one single database connection?
  Thank you,
  Paras

  I believe its one per session so one connection inside the package. I think you should be , although i have not tried it practically.

• Servlet Session Questions

  Hi,everybody:
  I'm puzzled by two questions about session in servlet.
  1.The default timeout of J2EE example WAR is set to 30sec.Is it too short?
  2.in J2EE Tutorial1.3 it says"To ensure that an active session is not timed-out, you should periodically access the session in service methods because this resets the session's time-to-live counter",But I can't see any codes in example servlets to access session "periodically".Could you please explain that?
  Thank you!

  I,
  I have a problem with the session.
  After the "getMaxInactiveInterval" time, I reload my servlet , but
  the session is lost even if I test it :
  Before doing anything, I do this :
  HttpSession oSession = req.getSession (=(false);
       if(oSession == null)
  // forward to a login_page
  RequestDispatcher rd = getServletContext().getRequestDispatcher(
  "login_page");
  rd.forward(req, res);
  // request to the database to get user'characteristics
  // and put then in the session
  String sUser = (String)oSession.getValue("COD"); // sUser is null !
  The pb is that the session has not been removed from the Server after
  the MaxInactiveInterval, so when i make a request , I have in the session :
  the req.isRequestedSessionIdValid() gives : true .
  and a new session is created with a new id
  Something very strange.
  Thanks for help.

• Cisco switch model question

  Can someone tell what the -L,-S, or -E designation means on Cisco equipment? For example, looking at the
  WS-C3650-24TD-S ?

  Hi,
  According to your description, your question is about Cisco hardware. Here is the Microsoft TechNet Forum and mainly focused on product Windows Server System. I recommend you to ask the hardware vendor(Cisco) for official support. 
  Or you may reference link which Dave Patrick’s provided.
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• CISCO AIRONET 1230AG Question for Standalone Mode

  Hello everyone,
  Just one fast question since i am trying to start a personal project.
  Can u use an aironet 1230AG AP as a purely standalone AP device
  like you would with any commercial AP?
  Also is there an administration page to do so or is it IOS oriented?
  Thanks in advance.

  Hi Karolos,
  you can of course use 1230 AP in standalone mode.
  It can be administered both CLI (IOS-like) and GUI (web page).
  configuration examples documents usually have both GUI and CLI.
  Here is a list of configuration example that might be useufl to you:
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_examples_list.html
  Note that if you have high number of APs then administration will be a headache if you are using them in standalone mode.
  If you have high number of APs then it will be much wise idea to use a controller-based APs.
  Good luck
  Amjad

• Cisco ESA Deployment Question

  Hello,
  I have a question about the ESA deployment, In case I have 1 ESA deployed in my network with MX record and the public IP is natted to the ESA IP located on the DMZ.
  If the ESA goes down for any reason like power failure, still I can recieve and send email or not? I mean in this case, can the device work in fail-open mode to relay the emals but without applying the policy?
  Or in this case, the mail system will be completly down, and I need to add 2nd MX record (High avaailbility) to ensure that the email system is UP?
  Thanks.
  Ahmad.

  This is very logical for me.
  I had a discussion with Cisco SE and he insists that ESA acts as a proxy not as email server, so the mail server would still deliver email but without any ESA policies applied to it.
  Here, if you point the exchange server to the ESA and the ESA is down, then the recieving and sending will be down, and only the internal emails will be working.
  Thanks.
  Ahmad.

• Apple Remote Desktop session questions

  Hi all:  Just got my new mini server up the running.  I have a question concerning Apple Remote Desktop that I would like answered before plunking down $79.  I am wondering how ARD handles sessions run from a device with a smaller screen than the device you are trying to control?  That is, does ARD do simple screen scaling like you can do in vnc OR does it open a new remote x session that has the appropriate resolution for your device?  I am hoping it funcitons the same way MS Remote Desktop Connecton does.

  You'd be better off asking this question in the Remote Desktop forum...
  ARD supports 2 modes scaling, and "panning". As far as I know, there is no support for what you are describing.