VTY Lines

Hello, 
I encountered an interesting behavior on the Cat 3550 switches. First, I configured the vty 0 4 and vty 5 15 with transport input telnet and when I issued the sh run command this is the output I received(what you'd expect to see): 
sw1#sh run | be line vty 
line vty 0 4
 transport input telnet
line vty 5 15
 transport input telnet
Next, I wanted to add ssh as the transport input, so I configured the vtys as follows: 
sw1# config t
sw1(config)# line vty 0 4 
sw1(config-line)#transport input all 
And, when I issued the show run command, the vty 0 4 is no longer displayed! My question is, why does the line vty disappear when I use the transport input all command? 
sw1#sh run | be line vty    
line vty 5 15
 transport input telnet
end
Thanks in advance. 
Best, ~zK 

Duplicate post. 
Go HERE.

Similar Messages

  • Best Practices for securing VTY lines?

    Hi all,
    The thread title makes this sound like a big post but it's not. 
    If my router has say., 193 VTY lines as a maximum, but by default running-config has only a portion of those mentioned, should I set any configs I do on all lines, or just on the lines sh run shows?  Example: 
    sh run on a router I have with default config has: :
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    login local
    transport input telnet ssh
    Yet, I have the option of configuring up to 193 VTY lines:
    Router(config)#line vty ?
      <0-193>  First Line number
    It seems lines 16-193 still exist in memory, so my concern is that they are potentially exposed somehow to exploits or what not.  So my practice is to do any configs I do using VTY 0 193 to ensure universal configuration.  But, my "enabling" the extra lines, am I using more memory, and, how secure is this against somebody trying to say, connect 193 times to my router simtaneously?  Does it increase the likelihood of success on DoS attack for example. 

    Hi guys, thanks for the replies and excellent information.  I'm excited to look at the IOS Hardending doc and the other stuff too. 
    Just to clarify, I don't actually use the default config, I only pasted it from a new router just to illustrate the default VTY line count. 
    I never use telnet from inside or outside, anyting snooping a line will pick up the cleartext as ou both know of course.  SSH is always version 2 etc. 
    I was considering doing a console server from the insidde as the only access method - which I do have set up but I have to remote to it It's just that with power outages at times, the console PC won't come back up (no BIOS setting to return to previous state, no WOL solution in place) so now I have both that plus the SSH access.  I have an ACL on both the VTY lines themselves as well as a ZBFW ACL governing SSH - perhaps a bit redundant in some ways but oh well if there's a zero-day ou thtere for turning off the zbfw I might still be protected  
    Regretfully I havne't learned about AAA yet - that I believe is in my CCNA Security book but first I need to get other things learned. 
    And with regard to logging in general, both enabling the right kind and monitoring it properly, that's a subject I need to work on big time.  I still get prot 25 outbound sometimes from a spam bot, but by the time I manually do my sh logging | i :25 I have missed it (due to cyclic logging with a buffer at 102400).  Probably this woud be part of that CCNA Security book as well. 
    So back to the # of VTY lines.  I will see what I can do to reduce the line count.  I suppose something like "no line vty 16 193" might work, if not it'll take some research. 
    But if an attacker wants to jam up my vty lines so I can't connect in, once they've fingerprinted the unit a bit to find out that I don't have an IPS running for example, wouldn't it be better that they have to jam up 193 lines simultaneously (with I presume 193 source IPs) instaed of 16?  Or am I just theorizing too much here.  I'ts not that this matters much, anybody who cares enough to hack this router will get a surprise when they find out there's nothing worth the effort on the other side But this is more so I can be better armed for future deployments.  Anyway, I will bookmark the info from this thread and am looking forward to reading it. 

  • VTY lines and clearing them

    Wondering if anyone has ever had a problem clearing vty lines. I've done it a million times, with success. But now I have a few devices that have some "hung" sessions. I try to clear them, the command is accepted, but the connection is still there. Any ideas? Also, i've read the definitions of "exec timeout" and "session timeout" but wondering what everyone else uses. I've always used EXEC.

    It is a 10012. I am trying clear line vty x:
    ts1euclwi# who
    Line User Host(s) Idle Location
    2 vty 0 idle 6w1d admin.gld.charter.com
    3 vty 1 idle 4w3d admin.gld.charter.com
    4 vty 2 idle 3w2d
    north1.stpt.wi.charter.com
    5 vty 3 idle 3w3d
    north1.stpt.wi.charter.com
    * 6 vty 4 bwithrow idle 00:00:00
    68-115-71-26.static.eucl.wi.charter.com
    8 vty 6 maint idle 2w0d admin.gld.charter.com
    Interface User Mode Idle Peer Address
    ts1euclwi#clear line vty 1
    [confirm]
    [OK]
    ts1euclwi#who
    Line User Host(s) Idle Location
    2 vty 0 idle 6w1d admin.gld.charter.com
    3 vty 1 idle 4w3d admin.gld.charter.com
    4 vty 2 idle 3w2d
    north1.stpt.wi.charter.com
    5 vty 3 idle 3w3d
    north1.stpt.wi.charter.com
    * 6 vty 4 bwithrow idle 00:00:00
    68-115-71-26.static.eucl.wi.charter.com
    8 vty 6 maint idle 2w0d admin.gld.charter.com
    Interface User Mode Idle Peer Address

  • VTY line configuration on a 1042

    Hello,
    I'd like to know if there is any command to configure the vty line interfaces on the AP with the console cable so without going through the wlc. My point is to configure SSH and telnet on vty 0 to15. When I checked the matching box on the wlc, I see in the config:
    line vty 0 4
       transport input all (instead of none)
    But as it is a LAP, I don't have any 'conf t' or vty command.
    Do you know how to?
    Thanks
    Theophile

    That is a lightweight AP so you can't do that.  You first need to allow telenet and ssh on the AP once it joines the wlc and then you can set your login credentials.  The controller manages all the lightweight AP's so there is a limited amount of cammands that can be ran on the LAP's.

  • Shell authorization works only on vty lines and not on console

    Why does command authorization only works for the vty line and NOT for the consoles?
    I use ACS for Win 3.3.(1)
    any input are very welcome
    Configuration
    aaa new-model
    aaa authentication login VTY group tacacs+ local
    aaa authentication login CONSOLE group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    line con 0
    login authentication CONSOLE
    line vty 0 4
    login authentication VTY

    By default, console authorization is turned off, even with all the standard authorization commands in your configuration. This was done deliberately to leave the console connection as a "back door" to get into the router in case you lock yourself out (which is easy to do with authorization). The theory is that if someone has access to your console port, you have a lot more to worry about than command authorization :-)
    If you really, really want to do this, make sure it works fine first on the VTY's, and then issue the hidden command:
    aaa authorization console

  • Setting VTY lines for SSH % Telnet only

    Hello,
    First off I apologize if this is the wrong section to post in or if there has already been a thread made for this particular problem however I've yet to find a solution that works.
    I am configuring a 1841 router running IOS Version 12.4(15)T1
    I am trying to set the vty lines to accept only telnet and ssh connections.
    I am using these commands:
    R1(config)# line vty 0 15
    R1(config-line)# password ciscovtypass
    R1(config-line)# login local
    R1(config-line)#transport input telnet ssh
    When I enter the "transport input telnet ssh" , I receive the error "Invalid input detected at '^' marker" and points to the word ssh.  I can successfully use "transport input telnet" and "transport input ssh" by themselves, however when I try to set them both on the same line is when i get the error.  And setting them both one after another overwrites the previous.  Any help would be much appreciated, thanks. 

    The suggestion from Leo would certainly allow both telnet and SSH. But it also allows some other protocols (they are not common in today's networking environment - but the original question was quite specific that they want to allow only 2 protocols and not all protocols). So let us look for answers that may help Michael.
    My first thought was to wonder if SSH has been fully enabled and whether this might be a factor in the problem. Michael indicates that transport input ssh works ok and that seems to indicate that enabling SSH is not the issue. But I would still feel better if Michael would post the output of show ip ssh
    I wonder if there is an order dependency in which one of the protocols must be entered first. I suggest trying this
    line vty 0 15
    transport input telnet ?
    and
    transport input ssh ?
    and see if one of them indicates that the other protocol is an option.
    HTH
    Rick

  • IP SLA/EEM running out of VTY lines and failing

    I am using IP SLA to ping network devices to detect network failures from an AS5400XM voice gateway.  The AS5400XM platform is limited to 5 vty lines ( vty 0 4).  When simulating a simultaneous outage, there are not enough tty lines available to process my EEM events.
    However, when simulating a simultaneous outage, we have a new issue – there are not enough lines available:
    Feb  9 15:16:22.970 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
    Feb  9 15:16:22.970 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1005065020_up statement 1.1
    Feb  9 15:16:22.974 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
    Feb  9 15:16:22.978 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1005081020_up statement 1.1
    Feb  9 15:16:22.986 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
    Feb  9 15:16:22.986 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_100000226_up statement 1.1
    Feb  9 15:16:22.994 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
    Feb  9 15:16:22.994 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1001012021_up statement 1.1
    Feb  9 15:16:23.006 CST: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
    Feb  9 15:16:23.006 CST: %HA_EM-3-FMPD_ERROR: Error executing applet ReportIPSLAevent_1061247018_up statement 1.1
    How can I detect/wait until there are enough lines free before processing the EEM rules?
    Regards,
    -Doug

    Joe,
    So far, it looks like there are only two issues remaining:
    Issue #1 - E-mail subject has destination listed as "unknown" versus the hostname
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Subject: IP SLA alert - {router} connectivity to Unknown has been restored
    Issue #2 - Source IP address issue (SMTP relay restricted to IP 10.5.32.90).  Traffic to the SMTP server needs to sourced from the Loopback0 address 10.5.32.90.  There are NAT rules in place to cover this, but it looks like the TCL script is bypassing the NAT:
    #sh ip int brief | ex una
    Interface                  IP-Address      OK? Method Status                Protocol
    GigabitEthernet0/0         10.5.34.242     YES NVRAM  up                    up
    GigabitEthernet0/1         10.5.34.250     YES NVRAM  up                    up
    Loopback0                  10.5.32.90      YES NVRAM  up                    up
    NVI0                       10.5.32.90      YES unset  up                    up
    ip nat inside source list smtp-nat interface Loopback0 overload
    sh ip access-lists smtp-nat
    Extended IP access list smtp-nat
        10 permit ip host 10.5.34.242 host 10.0.10.10 (2 matches)
        20 permit ip host 10.5.34.250 host 10.0.10.10 (15 matches)
    Feb 18 10:39:33.297 CST: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if GigabitEthernet0/0 nh 10.5.34.241 uhp 1 deag 0 ttlexp 0 rec 0
    Feb 18 10:39:33.297 CST: IP: s=10.5.34.242 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, sending
    Feb 18 10:39:33.297 CST:     TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK
    Feb 18 10:39:33.297 CST: IP: s=10.5.34.242 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, output feature
    Feb 18 10:39:33.297 CST:     TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.297 CST: IP: s=10.5.32.90 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, output feature
    Feb 18 10:39:33.297 CST:     TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.297 CST: IP: s=10.5.32.90 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, output feature
    Feb 18 10:39:33.297 CST:     TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.297 CST: IP: s=10.5.32.90 (local), d=10.0.10.10 (GigabitEthernet0/0), len 58, sending full packet
    Feb 18 10:39:33.297 CST:     TCP src=26095, dst=25, seq=3453704840, ack=2112864439, win=3890 ACK
    Feb 18 10:39:33.297 CST: [fh_smtp_debug_cmd]
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : From: {router}@mydomain.com
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : To: [email protected]
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Cc:
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Subject: IP SLA alert - {router} connectivity to Unknown has been restored
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : IPSLAs Latest Operation Statistics
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : IPSLA operation id: 100000226
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Type of operation: icmp-echo
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write :    Latest RTT: 36 milliseconds
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Latest operation start time: 10:39:29.377 CST Thu Feb 18 2010
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Latest operation return code: OK
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Number of successes: 21
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Number of failures: 13
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : Operation time to live: Forever
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : {router}
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write :
    Feb 18 10:39:33.297 CST: [fh_smtp_debug_cmd]
    Feb 18 10:39:33.297 CST: %HA_EM-6-LOG: sl_ip_sla_report.tcl : DEBUG(smtp_lib) : smtp_write : .
    Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:33.529 CST:     TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:33.529 CST:     TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:33.529 CST:     TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:33.529 CST:     TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, NAT Outside(53), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:33.529 CST:     TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:33.529 CST: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 10.0.10.10 dst 10.5.34.242
    Feb 18 10:39:33.529 CST: FIBfwd-proc: Default:10.5.34.242/32 receive entry
    Error:
    Feb 18 10:39:33.529 CST: FIBipv4-packet-proc: packet routing failed
    Feb 18 10:39:33.529 CST: IP: tableid=0, s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), routed via RIB
    Feb 18 10:39:33.529 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
    Feb 18 10:39:33.529 CST:     TCP src=25, dst=26095, seq=2112864439, ack=3453704858, win=65374 ACK ACK
    Feb 18 10:39:33.953 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, stop process pak for forus packet
    Feb 18 10:39:33.953 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK
    Feb 18 10:39:34.245 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
    Feb 18 10:39:34.245 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.245 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
    Feb 18 10:39:34.245 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, NAT Outside(53), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 10.0.10.10 dst 10.5.34.242
    Feb 18 10:39:34.249 CST: FIBfwd-proc: Default:10.5.34.242/32 receive entry
    Error:
    Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: packet routing failed
    Feb 18 10:39:34.249 CST: IP: tableid=0, s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), routed via RIB
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 88, output feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 88, output feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 88, output feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, rcvd 4
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 88, stop process pak for forus packet
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864535, ack=3453704892, win=65340 ACK PSH
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, NAT Outside(53), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, input feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 10.0.10.10 dst 10.5.34.242
    Feb 18 10:39:34.249 CST: FIBfwd-proc: Default:10.5.34.242/32 receive entry
    Error:
    Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: packet routing failed
    Feb 18 10:39:34.249 CST: IP: tableid=0, s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), routed via RIB
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242 (GigabitEthernet0/0), len 40, output feature
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, rcvd 4
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN
    Feb 18 10:39:34.249 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, stop process pak for forus packet
    Feb 18 10:39:34.249 CST:     TCP src=25, dst=26095, seq=2112864583, ack=3453704892, win=65340 ACK FIN
    Feb 18 10:39:34.249 CST: IP: s=10.5.34.242 (local), d=10.0.10.10, len 40, local feature
    Feb 18 10:39:34.249 CST:     TCP src=26095, dst=25, seq=3453704892, ack=2112864584, win=3746 ACK, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: route packet from (local) src 10.5.34.242 dst 10.0.10.10
    Feb 18 10:39:34.249 CST: FIBfwd-proc: Default:10.0.0.0/20 proces level forwarding
    Feb 18 10:39:34.249 CST: FIBfwd-proc: depth 0 first_idx 0 paths 2 long 0(0)
    Feb 18 10:39:34.249 CST: FIBfwd-proc: try path 0 (of 2) v4-anh-10.5.34.241-Gi0/0 first short ext 0(-1)
    Feb 18 10:39:34.249 CST: FIBfwd-proc: v4-anh-10.5.34.241-Gi0/0 valid
    Feb 18 10:39:34.249 CST: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if GigabitEthernet0/0 nh 10.5.34.241 deag 0 via fib 0 path type attached nexthop
    Feb 18 10:39:34.249 CST: FIBfwd-proc: packet routed to GigabitEthernet0/0 10.5.34.241(0)
    Feb 18 10:39:34.249 CST: FIBipv4-packet-proc: packet routing succeeded ACK
    Feb 18 10:39:34.405 CST: IP: s=10.0.10.10 (GigabitEthernet0/1), d=10.5.34.242, len 40, stop process pak for forus packet
    Feb 18 10:39:34.405 CST:     TCP src=25, dst=26095, seq=2112864584, ack=3453704893, win=65340 ACK
    Regards,
    -Doug
    P.S.  Can you recommend any documents or books to learn Tcl?

  • VTY line config deletes itself

    Hi!
    I have a problem on  my AIR-AP1121G accesspoints. Sometimes they cannon be access via telnet, it works fine after a reload. This happens not very often, but when it happens, I need to reload it manually.
    I'm using a backup tool, for backing up the running configs. Last report I got from an unavailable AP was that the line config for both console and VTY was missing. I think this is the case on the other APs as well. But why the backup could be done I don't know, the backup rutine is done via telnet.
    Using this software: Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JEC1, RELEASE SOFTWARE (fc4)
    By the way I've read this thread but I'm already using the exec timeout option on all of the lines.

    Hello, ah ok, could be something is being pushed by Kiwi Cat Tools through another Job, check the Jobs and what is being configured on it. Normally, the configuration on the AP do not dissapear on their own.
    Have a good day.
    Serge

  • Line vty 0 4 & 5 15

    From my understanding line vty 0 15 allows 16 concurrent users to access the device simultaneously, is that correct? When I configure vty 5 15 for telnet access and I leave 0 4 untouched, telnet was failed. I have to configure vty 0 15 input telnet then I'll able to access the switch. I guess I'm the only person accessing via telnet so I'm getting line vty 0 right? Can I access remotely with prefered vty line and how do I do that?

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    BTW, another method to avoid hung VTY sessions is to enable service tcp-keepalives-in.

  • Error opening vty no more tty lines error

    Hello Community,
    Whenever I attempt to run a Tcl script I get the following error message:
    Tcl policy execute failed: cannot get pty for exec: Error opening vty no more tty lines
    I inreased the number of vty lines to 10 but every I run the script it takes virtually all the lines, see below.
    Can someone please help
    Brislington_DM001#show line
       Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
         0 CTY              -    -      -    -    -      0       0     0/0       -
         5 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
    *    6 VTY              -    -      -    -    -    127       0     0/0       -
    *    7 VTY              -    -      -    -    -     12       0     0/0       -
    *    8 VTY              -    -      -    -    -      0       0     0/0       -
    *    9 VTY              -    -      -    -    -     22       0     0/0       -
    *   10 VTY              -    -      -    -    -      2       0     0/0       -
    *   11 VTY              -    -      -    -    -      1       0     0/0       -
    *   12 VTY              -    -      -    -    -      0       0     0/0       -
    *   13 VTY              -    -      -    -    -      0       0     0/0       -
    *   14 VTY              -    -      -    -    -      0       0     0/0       -
        15 VTY              -    -      -    -    -      0       0     0/0       -
        16 VTY              -    -      -    -    -      0       0     0/0       -
    Cheers

    anbv,
    I have revisited your answer, and it seems like you've hit a right note:
    Please take look at error output:
    MX_DMVPN_HUB6          1541987: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: Tcl policy execute failed: cannot get pty for exec: Error opening vty no more tty lines
    MX_DMVPN_HUB6          1541986: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:     (file "system:/lib/tcl/base.tcl" line 50)
    MX_DMVPN_HUB6          1541985: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:      interp share {} stderr slave..."
    MX_DMVPN_HUB6          1541984: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:      interp share {} stdout slave
    MX_DMVPN_HUB6          1541983: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:      interp create -safe slave
    MX_DMVPN_HUB6          1541982: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "if {$security_level == 1} {       #untrusted script
    MX_DMVPN_HUB6          1541981: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:     invoked from within
    MX_DMVPN_HUB6          1541980: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "eval_script slave $scriptname"
    MX_DMVPN_HUB6          1541979: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:     invoked from within
    MX_DMVPN_HUB6          1541978: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:     (procedure "eval_script" line 7)
    MX_DMVPN_HUB6          1541977: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "$slave eval $Contents"
    MX_DMVPN_HUB6          1541976: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:     invoked from within
    MX_DMVPN_HUB6          1541975: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: "cli_open"
    MX_DMVPN_HUB6          1541974: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl:     while executing
    MX_DMVPN_HUB6          1541973: Jul  5 08:02:56.577: %HA_EM-6-LOG: utilisationUHub6.tcl: cannot get pty for exec: Error opening vty no more tty lines
    The script opens the file a vty session, but doesn't seem to close it.
    Any thoughts.
    Mike
    I never did say thank you for your input. I would welcome your thoughts.
    Cheers
    Carlton

  • Problem setting vty password in packet tracer

    I'm trying to configure a vty password in packet tracer and I think I'm doing something wrong. These are the commands I'm using:
    line vty 0
    password test
    end
    When I do showrun I can see the command, but when I try to get access to the vty line, it never ask's me for the password. What am I doing wrong.
    Screen shot included. Thanks.

    As far as I know, you can't assign an IP address to an individual interface, but you can assign an administrative IP address to the switch itself. This screen shot is the commands that I used to assign an ip address, subnet mask & gateway. And I have done this on real 2960g.

  • Problem in my EEM : no tty lines available

    Hello,
    I tried to config an EEM wich detect a change in configuration and alerte it by log messages.
    So, the config was :
    archive
     log config
      logging enable
      logging size 500
      notify syslog contenttype plaintext
      hidekeys
    event manager applet Cfg_Change 
    event syslog pattern ".*%PARSER-5-CFGLOG*."
     action 1 cli command "enable"
     action 2 cli command "show archive log config all"
     action 3 syslog msg "Config has been changed"
     action 4 cli command "clear archive log config force"
    When I tried this EEM, I shut an interface in my router, the msg logs are bellow :
    R1(config)#int fastEthernet 0/0
    R1(config-if)#
    *Apr 13 18:50:14.883: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:interface FastEthernet0/0 
    *Apr 13 18:50:14.915: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable
    *Apr 13 18:50:14.955: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable
    *Apr 13 18:50:14.991: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable
    R1(config-if)#sh
    R1(config-if)#
    *Apr 13 18:50:15.011: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
    *Apr 13 18:50:15.011: %HA_EM-3-FMPD_ERROR: Error executing applet Config-Change statement 1
    R1(config-if)#
    *Apr 13 18:50:15.059: %HA_EM-6-LOG: Config-Change: Config has been changed
    *Apr 13 18:50:15.087: %HA_EM-6-LOG: Config-Change: Config has been changed
    *Apr 13 18:50:15.135: %HA_EM-6-LOG: Config-Change: Config has been changed
    *Apr 13 18:50:16.011: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:shutdown 
    *Apr 13 18:50:16.135: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable
    *Apr 13 18:50:16.171: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable
    *Apr 13 18:50:16.203: %PARSER-5-CFGLOG_LOGGEDCMD: User:unknown user  logged command:!exec: enable
    *Apr 13 18:50:16.223: %HA_EM-3-FMPD_CLI_CONNECT: Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM
    *Apr 13 18:50:16.223: %HA_EM-3-FMPD_ERROR: Error executing applet Config-Change statement 1
    R1(config-if)#
    *Apr 13 18:50:16.263: %HA_EM-6-LOG: Config-Change: Config has been changed
    *Apr 13 18:50:16.303: %HA_EM-6-LOG: Config-Change: Config has been changed
    *Apr 13 18:50:16.335: %HA_EM-6-LOG: Config-Change: Config has been changed
    R1(config-if)#
    *Apr 13 18:50:17.999: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
    *Apr 13 18:50:18.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
    So, my question is : what does mean : Unable to establish CLI session: no tty lines available, minimum of 2 required by EEM ??
    And why when I executed the command "sh archive log config all", I don't find anything ??
    Thanks.

    EEM requires two free VTY lines when policies need to execute CLI commands.  One is for EEM, and the other is left so that humans don't get locked out.
    When you match on such a common syslog pattern, you can have up to (by default) five EEM policies run at once.  If you don't have enough free VTY lines for them, then some will throw this message.
    You can either allocate more VTY lines or reduce the number of EEM applet threads so less than five policies run in parallel.

  • Problems with line tty

    First question:
    How can I redirect the debug output to a vty line instead of the console line...Is there any command..??
    Other one:
    What is a reason for getting an async interface reset..?...
    %LINK-5-CHANGED: Interface Async52, changed state to reset

    Enter in the following:
    no logging console
    logging monitor 7
    There could be many reasons for an async interface reset..you could have dropped the carrier, for instance.
    Hope that helps - pls rate the post if it does.
    Paresh

  • Cisco VTY Session Question

    Community,
    Can someone take a look at the following vty line configuration and let me know why I can't open more than one session
    line vty 0
    exec-timeout 60 0
    login authentication vty_access
    transport input all
    line vty 1
    exec-timeout 60 0
    login authentication vty_access
    no exec
    transport preferred none
    transport input all
    line vty 2 4
    exec-timeout 60 0
    login authentication vty_access
    transport input all
    line vty 5 15
    exec-timeout 60 0
    login authentication vty_access
    no exec
    transport preferred none
    transport input all

    I see issues that prevent some of the vty lines from accepting sessions but not enough problems to account for being limited to a single session. on vty 1 and on 5 to 15 you have configured no exec. This prevents any session from being established.
    I assume that the session you establish is probably on vty 0. I do not see what would prevent additional sessions on vty 2 through 4. Perhaps there is something in vty_access which is having this impact? We need to have more information to be able to come up with a good explanation. At a minimum we will need to see the aaa parts of the config. Perhaps the output of show line might also be helpful.
    HTH
    Rick

  • Cisco line con login local

    No, they are MD7 at best (service password-encryption).
    I would seriously recommend you don't use this method of authentication, create a username:
    username privilege 15 secret
    And then set local login on all line ports.
    line con 0
    login local
    If you also apply this to your line vty lines it will secure your remote sessions also.
    As long as you use "secret" and not "password" in the username line it will be MD5 hashed, using password there also makes it MD7.
    Obviously replace and and set the privilege level to one that is appropriate for that user.  This will also work if you have any management system that logs in for back ups etc.

    Hello,
    Using this in the console:
    line con 0
    password console
    logging synchronous
    login local
    exec-timeout 0 0
    You can see that i'm using the "login local" command, which seems to force me to use that username and password instead of the "password console".  Then it doesn't make sense having the "password console" command does it?
    Also, Is there anyway to encrypt the console and vty passwords not using the weak "service password-encryption" command?
    Thanks.
    This topic first appeared in the Spiceworks Community

Maybe you are looking for

  • Dynamic Web Template Override in an  IView in the portal

    We have successfully copied and changed the default web template for displaying queries in the portal and it works fine.  We also use BI planning and would like to use a different template when a planning query is executed.  Does anyone know if there

  • Position of Result Row in Query

    Hi Experts, I am using Hierarchy in Infoobject, as a result, the query result rows stay in front of characteristic after report was generated: refer to this picture: [url]http://imageshack.us/photo/my-images/155/resultrow.png/[url] is there anyway to

  • Error message when mixing down audio

    Hi gang I occasionally get an error message when mixing down audio on a FCP 5.1.4 project. Message sez: File error: the specified is open and in use by this or another application. I've never seen this before. No other applications are open at the ti

  • BTE / user exit FOR F110

    Hi, My requirement is to perform certain validations before performing  payment run i.e before a standard idoc is generated through f110. Could anyone please provide some inputs on this. Thanks

  • SAP Business Roles

    Hi, Has anyone ever worked with business roles. I am new to the OCM side having worked on the security side for many years. I am working on a project developing business roles and needed more details on how business roles link to security roles?