Makes NO sense!!!

[burtsbees]

I have a router with 10.1.1.1/24 on an interface. I can ping to it and all other interfaces, routing is working correctly. This is an example, but mocks the same problem one of my customers had. The router had no ip classless. I could ping, but not telnet to the router UNTIL I PUT IN IP CLASSLESS! Why can I ping, how can the router route, but NO TELNET ACCESS??? This is driving me crazy! The only thing as far as I know that no ip classless will affect is routing to supernets, i.e. anything in 10.0.0.0/8 that the router does not know about! The exact same problem can be found here...

http://www.petri.co.il/forums/showthread.php?t=15610

What gives? I'll give a star and a quarter to anyone with the correct answer!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[North323]

cisco bug?

 

[vipergg]

You can ping it from off the router ? In protocols like RIP or EIGRP the default is auto summarization so it chops the route at the classful boundaries in that case /8 . If you have 10. anything on another router it can be an issue. could be something like this or not . Don't know why about the ping issue.

The software summarizes subprefixes to the classful network boundary when crossing classful network boundaries.

If you have disconnected subnets, disable automatic route summarization to advertise the subnets. When route summarization is disabled, the software transmits subnet and host routing information across classful network boundaries.

 

[burtsbees]

I know---in the case of my customer, they are running OSPF and redistributing connected subnets. All routing is taking place, no services are disrupted, things are being routed through. When you ping the fa interface, pings succeed. Same with the outside. But telnet succeeds from only some routers, until the "ip classless" is put in. It makes no sense!

Did you read the problem in the link I posted? Same thing, and I find no answer on the internet.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Bump...anyone else wanna give this a stab in the dark?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[lerdalt]

There isn't some crazy acl on there by chance?

Got a full config we could see?

 

[burtsbees]

No acl at all!

I will post a config Monday...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

CHICDIST#sh run

Building configuration...



Current configuration : 5747 bytes

!

! Last configuration change at 09:14:43 Wed Sep 23 2009 by Support

! NVRAM config last updated at 09:15:07 Wed Sep 23 2009 by Support

!

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname CHICDIST

!

boot-start-marker

boot system flash:c2800nm-ipbasek9-mz.124-5b.bin

boot-end-marker

!

logging buffered 4096 debugging

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

!

aaa session-id common

!

resource policy

!

clock timezone

clock summer-time DST recurring 2 Sun Mar 1 Sun Nov
!

!

ip cef

!

!

ip flow-cache timeout active 1

no ip bootp server

no ip domain lookup

ip domain name something.com
!

!

crypto pki trustpoint TP-self-signed-2038072733

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2038072733

revocation-check none

rsakeypair TP-self-signed-2038072733

!

!

crypto pki certificate chain TP-self-signed-2038072733

certificate self-signed 01


quit

username Support privilege 15 password 7

username nsgadmin privilege 15 password 7

!

!

!

interface FastEthernet0/0

description Inside LAN

ip address 10.82.1.250 255.255.255.0 secondary

ip address x.x.x.x y.y.y.y secondary

ip address 10.213.21.250 255.255.255.0

ip helper-address 10.3.1.18

ip helper-address 10.24.1.19

ip route-cache flow

duplex full

speed 100

no cdp enable

!

interface FastEthernet0/1

no ip address

no ip mroute-cache

shutdown

duplex auto

speed auto

no cdp enable

!

interface Serial0/0/0

description Frame Relay T1, Circuit ID #

bandwidth 1536

no ip address

encapsulation frame-relay IETF

ip route-cache flow

no ip mroute-cache

no fair-queue

frame-relay lmi-type cisco

!

interface Serial0/0/0.233 point-to-point

description T3

bandwidth 1536

ip address 10.213.16.50 255.255.255.252

ip ospf cost 66

no cdp enable

frame-relay interface-dlci 233

!

interface Serial0/0/0.424 point-to-point

description Central T3

bandwidth 1536

ip address 10.213.16.18 255.255.255.252

ip ospf cost 65

no cdp enable

frame-relay interface-dlci 424

!

interface Serial0/0/0.524 point-to-point

description Brooke T3

bandwidth 1536

ip address 10.213.16.146 255.255.255.252

ip ospf cost 66

no cdp enable

frame-relay interface-dlci 524

!

interface Serial0/1/0

description T1

ip address x.x.x.x 255.255.255.252

encapsulation ppp

ip route-cache flow

no ip mroute-cache

no fair-queue

no cdp enable

ppp multilink

ppp multilink group 1

!

router ospf 100

router-id 10.213.21.250

log-adjacency-changes

area 0.0.0.4 stub

redistribute connected subnets

network 10.0.0.0 0.255.255.255 area 0.0.0.4

network (secondary on fa0/0, public IP) 0.0.255.255 area 0.0.0.4

!

no ip classless

ip route 0.0.0.0 0.0.0.0 next hop

ip flow-export source FastEthernet0/0

ip flow-export version 9

ip flow-export destination 10.3.64.1 2055

ip flow-aggregation cache destination-prefix

!

!

ip http server

ip http access-class 23

ip http authentication aaa

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip tacacs source-interface FastEthernet0/0

!

logging 10.1.33.221

logging 10.2.73.235

snmp-server community

snmp-server community

snmp-server enable traps tty

no cdp run

tacacs-server host 10.3.64.238

tacacs-server host 10.24.1.111

tacacs-server directed-request

tacacs-server key 7

!

control-plane

!

banner login ^CC

*********************ATTENTION**************************

* *

* STATE AND FEDERAL STATUTES MAKE IT A CRIME TO GAIN *

* UNAUTHORIZED ACCESS INTO THIS COMPUTER SYSTEM. *

* VIOLATORS WILL BE PROSECUTED. *

* *

* SYSTEM USE IS ONLY FOR AUTHORIZED BUSINESS PURPOSES. *

* *

********************************************************

^C

!

line con 0

exec-timeout 0 0

line aux 0

transport input all

line vty 0 4

transport input all

line vty 5 15

access-class 23 in

transport input none

!

scheduler allocate 20000 1000

ntp clock-period 17179633

ntp server 10.24.1.19

ntp server 10.3.1.18

!

end



CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route



Gateway of last resort is 64.206.17.217 to network 0.0.0.0



x.x.x.x/27 is subnetted, 1 subnets

C x.x.x.x is directly connected, FastEthernet0/0

x.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C x.x.x.x/32 is directly connected, Serial0/1/0

C x.x.x.x/30 is directly connected, Serial0/1/0

10.0.0.0/24 is subnetted, 2 subnets

C 10.82.1.0 is directly connected, FastEthernet0/0

C 10.213.21.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 64.206.17.217

CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#ping 10.1.33.143



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.33.143, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

CHICDIST#10.1.33.143 is my PC that I cannot telnet to the router from.

^

% Invalid input detected at '^' marker.



CHICDIST#trac

CHICDIST#traceroute 10.1.33.143



Type escape sequence to abort.

Tracing the route to 10.1.33.143



1 64.206.17.217 8 msec 8 msec 8 msec

2 64.206.22.65 8 msec 8 msec 8 msec

3 64.206.22.66 8 msec 8 msec 8 msec

4 172.16.172.2 8 msec 12 msec 8 msec

5 10.1.33.143 12 msec 8 msec 12 msec

CHICDIST#

CHICDIST#

CHICDIST#

CHICDIST#deb ip icmp

ICMP packet debugging is on

CHICDIST#term mon

CHICDIST#

Sep 23 14:58:16: ICMP: echo reply sent, src 10.213.21.250, dst 10.1.33.143

Sep 23 14:58:17: ICMP: echo reply sent, src 10.213.21.250, dst 10.1.33.143

Sep 23 14:58:18: ICMP: echo reply sent, src 10.213.21.250, dst 10.1.33.143

Sep 23 14:58:19: ICMP: echo reply sent, src 10.213.21.250, dst 10.1.33.143

CHICDIST#

CHICDIST#

CHICDIST#I just did a ping from my PC to router

^

% Invalid input detected at '^' marker.



CHICDIST#term no mon

CHICDIST#deb ip telnet#

CHICDIST#deb ip telnet ?

% Unrecognized command

CHICDIST#deb ip telnet

^

% Invalid input detected at '^' marker.



CHICDIST#debu

CHICDIST#debug ip#

CHICDIST#debug ip# ## #tel

CHICDIST#debug telnet ?

<cr>



CHICDIST#debug telnet

Incoming Telnet debugging is on

CHICDIST#

CHICDIST#

We removed aaa (no aaa new-model) to take TACACS+ out of the equation, and also got rid of the null multilink config on the serial interface---still no difference. He can telnet from something connected to the WAN, but not the LAN. this started when they moved from frame WAN to MPLS...

The fix was putting in "ip classless"...huh???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[lerdalt]

I'm not seeing a route to the 10.1.33.143 network in the routing table, so explains why it's going out across the 64.x.x.x networks.

I'm not sure though...something just doesn't seem right. Will admit, having the secondary addresses on the fastethernet interface is interesting.

 

[burtsbees]

The routing table was the same after "ip classless" was put in.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Plus, it was telnet being affected, not ping---he could still get around, as routing was unaffected...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[brianinms]

Are you sure you just didnt have more than for sessions and you were hitting the 5th vty? Vty 5 15 has an acl applied that doesn't exist.

 

[burtsbees]

Positive. When "ip classless" was put in, everything worked fine.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!