VTY Lines
Hello,
I encountered an interesting behavior on the Cat 3550 switches. First, I configured the vty 0 4 and vty 5 15 with transport input telnet and when I issued the sh run command this is the output I received(what you'd expect to see):
sw1#sh run | be line vty
line vty 0 4
transport input telnet
line vty 5 15
transport input telnet
Next, I wanted to add ssh as the transport input, so I configured the vtys as follows:
sw1# config t
sw1(config)# line vty 0 4
sw1(config-line)#transport input all
And, when I issued the show run command, the vty 0 4 is no longer displayed! My question is, why does the line vty disappear when I use the transport input all command?
sw1#sh run | be line vty
line vty 5 15
transport input telnet
end
Thanks in advance.
Best, ~zK
Duplicate post.
Go HERE.
Similar Messages
-
Best Practices for securing VTY lines?
Hi all,
The thread title makes this sound like a big post but it's not.
If my router has say., 193 VTY lines as a maximum, but by default running-config has only a portion of those mentioned, should I set any configs I do on all lines, or just on the lines sh run shows? Example:
sh run on a router I have with default config has: :
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
Yet, I have the option of configuring up to 193 VTY lines:
Router(config)#line vty ?
<0-193> First Line number
It seems lines 16-193 still exist in memory, so my concern is that they are potentially exposed somehow to exploits or what not. So my practice is to do any configs I do using VTY 0 193 to ensure universal configuration. But, my "enabling" the extra lines, am I using more memory, and, how secure is this against somebody trying to say, connect 193 times to my router simtaneously? Does it increase the likelihood of success on DoS attack for example.Hi guys, thanks for the replies and excellent information. I'm excited to look at the IOS Hardending doc and the other stuff too.
Just to clarify, I don't actually use the default config, I only pasted it from a new router just to illustrate the default VTY line count.
I never use telnet from inside or outside, anyting snooping a line will pick up the cleartext as ou both know of course. SSH is always version 2 etc.
I was considering doing a console server from the insidde as the only access method - which I do have set up but I have to remote to it It's just that with power outages at times, the console PC won't come back up (no BIOS setting to return to previous state, no WOL solution in place) so now I have both that plus the SSH access. I have an ACL on both the VTY lines themselves as well as a ZBFW ACL governing SSH - perhaps a bit redundant in some ways but oh well if there's a zero-day ou thtere for turning off the zbfw I might still be protected
Regretfully I havne't learned about AAA yet - that I believe is in my CCNA Security book but first I need to get other things learned.
And with regard to logging in general, both enabling the right kind and monitoring it properly, that's a subject I need to work on big time. I still get prot 25 outbound sometimes from a spam bot, but by the time I manually do my sh logging | i :25 I have missed it (due to cyclic logging with a buffer at 102400). Probably this woud be part of that CCNA Security book as well.
So back to the # of VTY lines. I will see what I can do to reduce the line count. I suppose something like "no line vty 16 193" might work, if not it'll take some research.
But if an attacker wants to jam up my vty lines so I can't connect in, once they've fingerprinted the unit a bit to find out that I don't have an IPS running for example, wouldn't it be better that they have to jam up 193 lines simultaneously (with I presume 193 source IPs) instaed of 16? Or am I just theorizing too much here. I'ts not that this matters much, anybody who cares enough to hack this router will get a surprise when they find out there's nothing worth the effort on the other side But this is more so I can be better armed for future deployments. Anyway, I will bookmark the info from this thread and am looking forward to reading it. -
Wondering if anyone has ever had a problem clearing vty lines. I've done it a million times, with success. But now I have a few devices that have some "hung" sessions. I try to clear them, the command is accepted, but the connection is still there. Any ideas? Also, i've read the definitions of "exec timeout" and "session timeout" but wondering what everyone else uses. I've always used EXEC.
It is a 10012. I am trying clear line vty x:
ts1euclwi# who
Line User Host(s) Idle Location
2 vty 0 idle 6w1d admin.gld.charter.com
3 vty 1 idle 4w3d admin.gld.charter.com
4 vty 2 idle 3w2d
north1.stpt.wi.charter.com
5 vty 3 idle 3w3d
north1.stpt.wi.charter.com
* 6 vty 4 bwithrow idle 00:00:00
68-115-71-26.static.eucl.wi.charter.com
8 vty 6 maint idle 2w0d admin.gld.charter.com
Interface User Mode Idle Peer Address
ts1euclwi#clear line vty 1
[confirm]
[OK]
ts1euclwi#who
Line User Host(s) Idle Location
2 vty 0 idle 6w1d admin.gld.charter.com
3 vty 1 idle 4w3d admin.gld.charter.com
4 vty 2 idle 3w2d
north1.stpt.wi.charter.com
5 vty 3 idle 3w3d
north1.stpt.wi.charter.com
* 6 vty 4 bwithrow idle 00:00:00
68-115-71-26.static.eucl.wi.charter.com
8 vty 6 maint idle 2w0d admin.gld.charter.com
Interface User Mode Idle Peer Address -
VTY line configuration on a 1042
Hello,
I'd like to know if there is any command to configure the vty line interfaces on the AP with the console cable so without going through the wlc. My point is to configure SSH and telnet on vty 0 to15. When I checked the matching box on the wlc, I see in the config:
line vty 0 4
transport input all (instead of none)
But as it is a LAP, I don't have any 'conf t' or vty command.
Do you know how to?
Thanks
TheophileThat is a lightweight AP so you can't do that. You first need to allow telenet and ssh on the AP once it joines the wlc and then you can set your login credentials. The controller manages all the lightweight AP's so there is a limited amount of cammands that can be ran on the LAP's.
-
Shell authorization works only on vty lines and not on console
Why does command authorization only works for the vty line and NOT for the consoles?
I use ACS for Win 3.3.(1)
any input are very welcome
Configuration
aaa new-model
aaa authentication login VTY group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
line con 0
login authentication CONSOLE
line vty 0 4
login authentication VTYBy default, console authorization is turned off, even with all the standard authorization commands in your configuration. This was done deliberately to leave the console connection as a "back door" to get into the router in case you lock yourself out (which is easy to do with authorization). The theory is that if someone has access to your console port, you have a lot more to worry about than command authorization :-)
If you really, really want to do this, make sure it works fine first on the VTY's, and then issue the hidden command:
aaa authorization console -
Setting VTY lines for SSH % Telnet only
Hello,
First off I apologize if this is the wrong section to post in or if there has already been a thread made for this particular problem however I've yet to find a solution that works.
I am configuring a 1841 router running IOS Version 12.4(15)T1
I am trying to set the vty lines to accept only telnet and ssh connections.
I am using these commands:
R1(config)# line vty 0 15
R1(config-line)# password ciscovtypass
R1(config-line)# login local
R1(config-line)#transport input telnet ssh
When I enter the "transport input telnet ssh" , I receive the error "Invalid input detected at '^' marker" and points to the word ssh. I can successfully use "transport input telnet" and "transport input ssh" by themselves, however when I try to set them both on the same line is when i get the error. And setting them both one after another overwrites the previous. Any help would be much appreciated, thanks.The suggestion from Leo would certainly allow both telnet and SSH. But it also allows some other protocols (they are not common in today's networking environment - but the original question was quite specific that they want to allow only 2 protocols and not all protocols). So let us look for answers that may help Michael.
My first thought was to wonder if SSH has been fully enabled and whether this might be a factor in the problem. Michael indicates that transport input ssh works ok and that seems to indicate that enabling SSH is not the issue. But I would still feel better if Michael would post the output of show ip ssh
I wonder if there is an order dependency in which one of the protocols must be entered first. I suggest trying this
line vty 0 15
transport input telnet ?
and
transport input ssh ?
and see if one of them indicates that the other protocol is an option.
HTH
Rick -
IP SLA/EEM running out of VTY lines and failing
I am using IP SLA to ping network devices to detect network failures from an AS5400XM voice gateway. The AS5400XM platform is limited to 5 vty lines ( vty 0 4). When simulating a simultaneous outage, there are not enough tty lines available to process my EEM events.
However, when simulating a simultaneous outage, we have a new issue – there are not enough lines available:
Feb 9 15:16:22.970 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
Feb 9 15:16:22.970 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1005065020_up statement 1.1
Feb 9 15:16:22.974 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
Feb 9 15:16:22.978 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1005081020_up statement 1.1
Feb 9 15:16:22.986 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
Feb 9 15:16:22.986 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_100000226_up statement 1.1
Feb 9 15:16:22.994 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
Feb 9 15:16:22.994 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1001012021_up statement 1.1
Feb 9 15:16:23.006 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
Feb 9 15:16:23.006 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1061247018_up statement 1.1
How can I detect/wait until there are enough lines free before processing the EEM rules?
Regards,
-DougJoe,
So far, it looks like there are only two issues remaining:
Issue #1 - E-mail subject has destination listed as "unknown" versus the hostname
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Subject: IP SLA alert - {router} connectivity to Unknown has been restored
Issue #2 - Source IP address issue (SMTP relay restricted to IP 10.5.32.90). Traffic to the SMTP server needs to sourced from the Loopback0 address 10.5.32.90. There are NAT rules in place to cover this, but it looks like the TCL script is bypassing the NAT:
#sh ip int brief | ex una
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.5.34.242 YES NVRAM up up
GigabitEthernet0/1 10.5.34.250 YES NVRAM up up
Loopback0 10.5.32.90 YES NVRAM up up
NVI0 10.5.32.90 YES unset up up
ip nat inside source list smtp-nat interface Loopback0 overload
sh ip access-lists smtp-nat
Extended IP access list smtp-nat
10 permit ip host 10.5.34.242 host 10.0.10.10 (2 matches)
20 permit ip host 10.5.34.250 host 10.0.10.10 (15 matches)
Feb 18 10:39:33.297 CST: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if GigabitEthernet0/0 nh 10.5.34.241 uhp 1 deag 0 ttlexp 0 rec 0
Feb 18 10:39:33.297 CST: IP: s=10.5.34.242 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, sending
Feb 18 10:39:33.297 CST: TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK
Feb 18 10:39:33.297 CST: IP: s=10.5.34.242 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, output feature
Feb 18 10:39:33.297 CST: TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.297 CST: IP: s=10.5.32.90 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, output feature
Feb 18 10:39:33.297 CST: TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.297 CST: IP: s=10.5.32.90 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, output feature
Feb 18 10:39:33.297 CST: TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.297 CST: IP: s=10.5.32.90 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, sending full packet
Feb 18 10:39:33.297 CST: TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK
Feb 18 10:39:33.297 CST: [fh_smtp_debug_cmd]
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : From: {router}@mydomain.com
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : To: [email protected]
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Cc:
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Subject: IP SLA alert - {router} connectivity to Unknown has been restored
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : IPSLAs Latest Operation Statistics
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : IPSLA operation id: 100000226
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Type of operation: icmp-echo
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Latest RTT: 36 milliseconds
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Latest operation start time: 10:39:29.377 CST Thu Feb 18 2010
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Latest operation return code: OK
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Number of successes: 21
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Number of failures: 13
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Operation time to live: Forever
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : {router}
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write :
Feb 18 10:39:33.297 CST: [fh_smtp_debug_cmd]
Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : .
Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:33.529 CST: TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:33.529 CST: TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:33.529 CST: TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:33.529 CST: TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, NAT Outside(53), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:33.529 CST: TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:33.529 CST: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 10.0.10.10 dst 10.5.34.242
Feb 18 10:39:33.529 CST: FIBfwd-proc: Default:10.5.34.242/32 receive entry
Error:
Feb 18 10:39:33.529 CST: FIBipv4-packet-proc: packet routing failed
Feb 18 10:39:33.529 CST: IP: tableid=0, s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), routed via RIB
Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
Feb 18 10:39:33.529 CST: TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK ACK
Feb 18 10:39:33.953 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, stop process pak for forus packet
Feb 18 10:39:33.953 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK
Feb 18 10:39:34.245 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
Feb 18 10:39:34.245 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.245 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
Feb 18 10:39:34.245 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, NAT Outside(53), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 10.0.10.10 dst 10.5.34.242
Feb 18 10:39:34.249 CST: FIBfwd-proc: Default:10.5.34.242/32 receive entry
Error:
Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: packet routing failed
Feb 18 10:39:34.249 CST: IP: tableid=0, s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), routed via RIB
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 88, output feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 88, output feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 88, output feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, rcvd 4
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, stop process pak for forus packet
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, NAT Outside(53), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 10.0.10.10 dst 10.5.34.242
Feb 18 10:39:34.249 CST: FIBfwd-proc: Default:10.5.34.242/32 receive entry
Error:
Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: packet routing failed
Feb 18 10:39:34.249 CST: IP: tableid=0, s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), routed via RIB
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, rcvd 4
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN
Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, stop process pak for forus packet
Feb 18 10:39:34.249 CST: TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN
Feb 18 10:39:34.249 CST: IP: s=10.5.34.242 (local), d=10.0.10.10, len 40, local feature
Feb 18 10:39:34.249 CST: TCP src=26095, dst=25, seq=3453704892, ack=2112864584, win=3746 ACK, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: route packet from (local) src 10.5.34.242 dst 10.0.10.10
Feb 18 10:39:34.249 CST: FIBfwd-proc: Default:10.0.0.0/20 proces level forwarding
Feb 18 10:39:34.249 CST: FIBfwd-proc: depth 0 first_idx 0 paths 2 long 0(0)
Feb 18 10:39:34.249 CST: FIBfwd-proc: try path 0 (of 2) v4-anh-10.5.34.241-Gi0/0 first short ext 0(-1)
Feb 18 10:39:34.249 CST: FIBfwd-proc: v4-anh-10.5.34.241-Gi0/0 valid
Feb 18 10:39:34.249 CST: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if GigabitEthernet0/0 nh 10.5.34.241 deag 0 via fib 0 path type attached nexthop
Feb 18 10:39:34.249 CST: FIBfwd-proc: packet routed to GigabitEthernet0/0 10.5.34.241(0)
Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: packet routing succeeded ACK
Feb 18 10:39:34.405 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, stop process pak for forus packet
Feb 18 10:39:34.405 CST: TCP src=25, dst=26095, seq=2112864584, ack=3453704893, win=65340 ACK
Regards,
-Doug
P.S. Can you recommend any documents or books to learn Tcl? -
VTY line config deletes itself
Hi!
I have a problem on my AIR-AP1121G accesspoints. Sometimes they cannon be access via telnet, it works fine after a reload. This happens not very often, but when it happens, I need to reload it manually.
I'm using a backup tool, for backing up the running configs. Last report I got from an unavailable AP was that the line config for both console and VTY was missing. I think this is the case on the other APs as well. But why the backup could be done I don't know, the backup rutine is done via telnet.
Using this software: Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JEC1, RELEASE SOFTWARE (fc4)
By the way I've read this thread but I'm already using the exec timeout option on all of the lines.Hello, ah ok, could be something is being pushed by Kiwi Cat Tools through another Job, check the Jobs and what is being configured on it. Normally, the configuration on the AP do not dissapear on their own.
Have a good day.
Serge -
From my understanding line vty 0 15 allows 16 concurrent users to access the device simultaneously, is that correct? When I configure vty 5 15 for telnet access and I leave 0 4 untouched, telnet was failed. I have to configure vty 0 15 input telnet then I'll able to access the switch. I guess I'm the only person accessing via telnet so I'm getting line vty 0 right? Can I access remotely with prefered vty line and how do I do that?
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
BTW, another method to avoid hung VTY sessions is to enable service tcp-keepalives-in. -
Error opening vty no more tty lines error
Hello Community,
Whenever I attempt to run a Tcl script I get the following error message:
Tcl policy execute failed: cannot get pty for exec: Error opening vty no more tty lines
I inreased the number of vty lines to 10 but every I run the script it takes virtually all the lines, see below.
Can someone please help
Brislington_DM001#show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 0 0 0/0 -
5 AUX 9600/9600 - - - - - 0 0 0/0 -
* 6 VTY - - - - - 127 0 0/0 -
* 7 VTY - - - - - 12 0 0/0 -
* 8 VTY - - - - - 0 0 0/0 -
* 9 VTY - - - - - 22 0 0/0 -
* 10 VTY - - - - - 2 0 0/0 -
* 11 VTY - - - - - 1 0 0/0 -
* 12 VTY - - - - - 0 0 0/0 -
* 13 VTY - - - - - 0 0 0/0 -
* 14 VTY - - - - - 0 0 0/0 -
15 VTY - - - - - 0 0 0/0 -
16 VTY - - - - - 0 0 0/0 -
Cheersanbv,
I have revisited your answer, and it seems like you've hit a right note:
Please take look at error output:
MX_DMVPN_HUB6 1541987: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: Tcl policy execute failed: cannot get pty for exec: Error opening vty no more tty lines
MX_DMVPN_HUB6 1541986: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: (file "system:/lib/tcl/base.tcl" line 50)
MX_DMVPN_HUB6 1541985: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: interp share {} stderr slave..."
MX_DMVPN_HUB6 1541984: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: interp share {} stdout slave
MX_DMVPN_HUB6 1541983: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: interp create -safe slave
MX_DMVPN_HUB6 1541982: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "if {$security_level == 1} { #untrusted script
MX_DMVPN_HUB6 1541981: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: invoked from within
MX_DMVPN_HUB6 1541980: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "eval_script slave $scriptname"
MX_DMVPN_HUB6 1541979: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: invoked from within
MX_DMVPN_HUB6 1541978: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: (procedure "eval_script" line 7)
MX_DMVPN_HUB6 1541977: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "$slave eval $Contents"
MX_DMVPN_HUB6 1541976: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: invoked from within
MX_DMVPN_HUB6 1541975: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "cli_open"
MX_DMVPN_HUB6 1541974: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: while executing
MX_DMVPN_HUB6 1541973: Jul 5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: cannot get pty for exec: Error opening vty no more tty lines
The script opens the file a vty session, but doesn't seem to close it.
Any thoughts.
Mike
I never did say thank you for your input. I would welcome your thoughts.
Cheers
Carlton -
Problem setting vty password in packet tracer
I'm trying to configure a vty password in packet tracer and I think I'm doing something wrong. These are the commands I'm using:
line vty 0
password test
end
When I do showrun I can see the command, but when I try to get access to the vty line, it never ask's me for the password. What am I doing wrong.
Screen shot included. Thanks.As far as I know, you can't assign an IP address to an individual interface, but you can assign an administrative IP address to the switch itself. This screen shot is the commands that I used to assign an ip address, subnet mask & gateway. And I have done this on real 2960g.
-
Problem in my EEM : no tty lines available
Hello,
I tried to config an EEM wich detect a change in configuration and alerte it by log messages.
So, the config was :
archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
hidekeys
event manager applet Cfg_Change
event syslog pattern ".*%PARSER-5-CFGLOG*."
action 1 cli command "enable"
action 2 cli command "show archive log config all"
action 3 syslog msg "Config has been changed"
action 4 cli command "clear archive log config force"
When I tried this EEM, I shut an interface in my router, the msg logs are bellow :
R1(config)#int fastEthernet 0/0
R1(config-if)#
*Apr 13 18:50:14.883: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface FastEthernet0/0
*Apr 13 18:50:14.915: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
*Apr 13 18:50:14.955: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
*Apr 13 18:50:14.991: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
R1(config-if)#sh
R1(config-if)#
*Apr 13 18:50:15.011: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
*Apr 13 18:50:15.011: %HA_EM-3-FMPD_ERROR: Error executing applet Config-Change statement 1
R1(config-if)#
*Apr 13 18:50:15.059: %HA_EM-6-LOG: Config-Change: Config has been changed
*Apr 13 18:50:15.087: %HA_EM-6-LOG: Config-Change: Config has been changed
*Apr 13 18:50:15.135: %HA_EM-6-LOG: Config-Change: Config has been changed
*Apr 13 18:50:16.011: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:shutdown
*Apr 13 18:50:16.135: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
*Apr 13 18:50:16.171: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
*Apr 13 18:50:16.203: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user logged command:!exec: enable
*Apr 13 18:50:16.223: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
*Apr 13 18:50:16.223: %HA_EM-3-FMPD_ERROR: Error executing applet Config-Change statement 1
R1(config-if)#
*Apr 13 18:50:16.263: %HA_EM-6-LOG: Config-Change: Config has been changed
*Apr 13 18:50:16.303: %HA_EM-6-LOG: Config-Change: Config has been changed
*Apr 13 18:50:16.335: %HA_EM-6-LOG: Config-Change: Config has been changed
R1(config-if)#
*Apr 13 18:50:17.999: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Apr 13 18:50:18.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
So, my question is : what does mean : Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM ??
And why when I executed the command "sh archive log config all", I don't find anything ??
Thanks.EEM requires two free VTY lines when policies need to execute CLI commands. One is for EEM, and the other is left so that humans don't get locked out.
When you match on such a common syslog pattern, you can have up to (by default) five EEM policies run at once. If you don't have enough free VTY lines for them, then some will throw this message.
You can either allocate more VTY lines or reduce the number of EEM applet threads so less than five policies run in parallel. -
First question:
How can I redirect the debug output to a vty line instead of the console line...Is there any command..??
Other one:
What is a reason for getting an async interface reset..?...
%LINK-5-CHANGED: Interface Async52, changed state to resetEnter in the following:
no logging console
logging monitor 7
There could be many reasons for an async interface reset..you could have dropped the carrier, for instance.
Hope that helps - pls rate the post if it does.
Paresh -
Community,
Can someone take a look at the following vty line configuration and let me know why I can't open more than one session
line vty 0
exec-timeout 60 0
login authentication vty_access
transport input all
line vty 1
exec-timeout 60 0
login authentication vty_access
no exec
transport preferred none
transport input all
line vty 2 4
exec-timeout 60 0
login authentication vty_access
transport input all
line vty 5 15
exec-timeout 60 0
login authentication vty_access
no exec
transport preferred none
transport input allI see issues that prevent some of the vty lines from accepting sessions but not enough problems to account for being limited to a single session. on vty 1 and on 5 to 15 you have configured no exec. This prevents any session from being established.
I assume that the session you establish is probably on vty 0. I do not see what would prevent additional sessions on vty 2 through 4. Perhaps there is something in vty_access which is having this impact? We need to have more information to be able to come up with a good explanation. At a minimum we will need to see the aaa parts of the config. Perhaps the output of show line might also be helpful.
HTH
Rick -
No, they are MD7 at best (service password-encryption).
I would seriously recommend you don't use this method of authentication, create a username:
username privilege 15 secret
And then set local login on all line ports.
line con 0
login local
If you also apply this to your line vty lines it will secure your remote sessions also.
As long as you use "secret" and not "password" in the username line it will be MD5 hashed, using password there also makes it MD7.
Obviously replace and and set the privilege level to one that is appropriate for that user. This will also work if you have any management system that logs in for back ups etc.Hello,
Using this in the console:
line con 0
password console
logging synchronous
login local
exec-timeout 0 0
You can see that i'm using the "login local" command, which seems to force me to use that username and password instead of the "password console". Then it doesn't make sense having the "password console" command does it?
Also, Is there anyway to encrypt the console and vty passwords not using the weak "service password-encryption" command?
Thanks.
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
Dynamic Web Template Override in an IView in the portal
We have successfully copied and changed the default web template for displaying queries in the portal and it works fine. We also use BI planning and would like to use a different template when a planning query is executed. Does anyone know if there
-
Position of Result Row in Query
Hi Experts, I am using Hierarchy in Infoobject, as a result, the query result rows stay in front of characteristic after report was generated: refer to this picture: [url]http://imageshack.us/photo/my-images/155/resultrow.png/[url] is there anyway to
-
Error message when mixing down audio
Hi gang I occasionally get an error message when mixing down audio on a FCP 5.1.4 project. Message sez: File error: the specified is open and in use by this or another application. I've never seen this before. No other applications are open at the ti
-
Hi, My requirement is to perform certain validations before performing payment run i.e before a standard idoc is generated through f110. Could anyone please provide some inputs on this. Thanks
-
Hi, Has anyone ever worked with business roles. I am new to the OCM side having worked on the security side for many years. I am working on a project developing business roles and needed more details on how business roles link to security roles?