[c-nsp] Cisco 2600 with async NM-32 sending wrong characters

Youssef Bengelloun-Zahr youssef at 720.fr
Tue Jun 1 20:23:03 EDT 2010 

Dear List,

I have just installed an Out Of Band network in case of major crashes for
our company.

The architecture is the following :

3 Cisco 2600 routers gearded with async NM32 modules and octal cables. Each
console is connected to the console port of my backbone routers.

The routers are NATed behind another IPS DSL line. Such kind of OOB network
comes in handy sometimes ;-)


My core routers are configured to authenticate with our internal radius
servers before falling back to the enable password, just in case. Here is
what I have started seeing in my RADIUS logs :

*** Received from X.X.X.X port 47832 ....
Code:       Access-Request
Identifier: 83
Authentic:  <221>r<176>Z<189><221><25><8><
142>T<20>b<244>S<176>O
Attributes:
        User-Name = *"CONS1.IX1>"*
        User-Password =
"<161><2><22>s[jR<217>\<245>R<217><25><129><197><137>^<213>7<220><27>5=h,<192><158>9<1>T<31><196>"
        NAS-IP-Address = X.X.X.X

Wed Jun  2 01:40:19 2010: DEBUG: Handling request with Handler ''
Wed Jun  2 01:40:19 2010: DEBUG:  Deleting session for CONS1.IX1>, X.X.X.X,
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
Wed Jun  2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
is_staff FROM auth_user WHERE username='CONS1.IX1>' AND is_active IS TRUE':
Wed Jun  2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user*
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Jun  2 01:40:19 2010: DEBUG: Reading users file
/etc/radiator/users-interne
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
CONS1.IX1> [CONS1.IX1>]Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE
REJECT: No such user: CONS1.IX1> [CONS1.IX1>]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such user
Wed Jun  2 01:40:19 2010: INFO: Access rejected for CONS1.IX1>: No such user
Wed Jun  2 01:40:19 2010: DEBUG: Packet dump:
*** Sending to 77.246.80.138 port 47832 ....
Code:       Access-Reject
Identifier: 83
Authentic:  <221>r<176>Z<189><221><25><8><142>T<20>b<244>S<176>O
Attributes:
        Reply-Message = "Request Denied"


*** Received from X.X.X.X port 52229 ....
Code:       Access-Request
Identifier: 181
Authentic:  z5<183>6L<27>z`<191><221><22><6><213><20><13><143>
Attributes:
        User-Name = *"CONS2.IX1> ### Login failed"*
        User-Password = "UP<214><250><11><158>%<245><251>jJ<195>M<145>c<2>"
        NAS-IP-Address = X.X.X.X

Wed Jun  2 01:40:19 2010: DEBUG: Handling request with Handler ''
Wed Jun  2 01:40:19 2010: DEBUG:  Deleting session for CONS2.IX1> ### Login
failed, X.X.X.X,
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
Wed Jun  2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
is_staff FROM auth_user WHERE username='CONS2.IX1> ### Login failed' AND
is_active IS TRUE':
Wed Jun  2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such user*
Wed Jun  2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: Radius::AuthFILE REJECT: No such user:
CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
Wed Jun  2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such user
Wed Jun  2 01:40:19 2010: INFO: Access rejected for CONS2.IX1> ### Login
failed: No such user
Wed Jun  2 01:40:19 2010: DEBUG: Packet dump:


Where :

- X.X.X.X is the source ip address of my core equipment used to reach the
internal RADIUS servers

- CONS1.IX1 and CONS2.IX1 are my console routers' names.


The consoles keep on flooding the RADIUS servers with such a like requests
continuasly. For your information, we have been using theese console routers
for years now but they connected directly to the backcone until tonight.

Here is the output of a sh version of the consoles :

CONS1.IX1#sh version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.2(46a), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 11-Jul-07 20:22 by pwade
Image text-base: 0x8000808C, data-base: 0x812948AC

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

CONS1.IX1 uptime is 1 hour, 51 minutes
System returned to ROM by reload
System image file is "flash:c2600-ik9s-mz.122-46a.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export at cisco.com.

cisco 2621 (MPC860) processor (revision 0x102) with 60416K/5120K bytes of
memory.
Processor board ID JAD04290CT0 (2953820044)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
32 terminal line(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


Here is my template of configuration :


version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CONS3.IX1
!
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local
enable secret 5 $1$B6xi$Wvur3lYfDVqH8Ztaq9dg51
!
username XXXX privilege 15 password 7 120E041C131F09142F29252A3C202C
ip subnet-zero
ip cef
!
!
no ip domain-lookup
ip domain-name XXXXX
ip host LOCALHOST 192.168.0.1
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
!
ip ssh time-out 60
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description Link to Freebox
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
 no shut
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.254
no ip http server
!
!
menu login text 1 se connecter sur BB1.IX1-SUP1
menu login command 1 telnet LOCALHOST 2033
menu login text 2 se connecter sur BB1.IX1-SUP2
menu login command 2 telnet LOCALHOST 2034
menu login text 3 se connecter sur LNS1.IX1
menu login command 3 telnet LOCALHOST 2035
menu login text 4 se connecter sur LNS2.IX1
menu login command 4 telnet LOCALHOST 2036
menu login text 5 se connecter sur FW1.IX1
menu login command 5 telnet LOCALHOST 2037
menu login text 6 se connecter sur FW2.IX1
menu login command 6 telnet LOCALHOST 2038
menu login text 7 se connecter sur FW3.IX1
menu login command 7 telnet LOCALHOST 2039
menu login text 8 se connecter sur LNS7.IX1
menu login command 8 telnet LOCALHOST 2040
menu login text 0 sortir du menu
menu login command 0 menu-exit
!
dial-peer cor custom
!
!
!
!
!
line con 0
line 33 64
 exec-timeout 0 0
 no exec
 transport input all
 escape-character 3
 stopbits 1
line aux 0
line vty 0 4
 exec-timeout 30 0
 logging synchronous
 transport input ssh
!
ntp server XXX.XXX.XXX.XXX
ntp server XXX.XXX.XXX.XXX
end


Any ideas to what my problem might be ?

Thanks in advance.

Best regards.

Y.

-- 
Youssef BENGELLOUN-ZAHR ………………………………………………
Ingénieur Réseaux et Télécoms


Technopole de l'Aube  en Champagne - BP 601 - 10901 TROYES  Cedex 9
Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE
Tel                 +33 (0) 825 000 720
Tel. direct      +33 (0) 1 77 35 59 14
Tel. portable  +33 (0) 6 22 42 63 80
Email            ybz at 720.fr
……………………………………………………………………………….....www.720.fr

More information about the cisco-nsp mailing list