[c-nsp] Cisco 2600 with async NM-32 sending wrong characters
Youssef Bengelloun-Zahr
youssef at 720.fr
Thu Jun 3 10:20:19 EDT 2010
Hello,
You are absolutly right.
Still, it doesn't explain the actual behavior of the consoles. I had
them working just fine for years and all the sudden...
This really ressembles to a physical layer problem...
I'll keep on digging.
Y.
Envoyé de mon iPhone 3GS !
Le 3 juin 2010 à 15:40, Ziv Leyes <zivl at gilat.net> a écrit :
> In case you have networking problems and want to access a device via
> console then I assume is not so good to be needed to authenticate
> other than locally, right?
> So in the case of the console you should change the auth to local,
> there are a few ways to do it but the easiest one I guess will be
>
> line con 0
> login authentication local
>
>
> From: Youssef Bengelloun-Zahr [mailto:youssef at 720.fr]
> Sent: Thursday, June 03, 2010 1:02 PM
> To: Ziv Leyes
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco 2600 with async NM-32 sending wrong
> characters
>
> Here is the output from a switch but it's the same for all of the
> equipments :
>
> aaa new-model
> aaa group server radius radius-interne
> server X.X.X.X
> server X.X.X.X
> !
> aaa authentication login default group radius-interne enable
> aaa authentication enable default enable
> aaa authorization exec default group radius-interne local if-
> authenticated
> enable secret 5 striped_chain
> !
> line con 0
> no exec
> exec-timeout 0 0
> password 7 striped_chain
> logging synchronous
> transport preferred telnet
> stopbits 1
> !
>
> SW1.IX1#sh line console 0
> Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise
> Overruns Int
> 0 CTY - - - - - 0 0
> 0/0 -
>
> Line 0, Location: "", Type: ""
> Length: 24 lines, Width: 80 columns
> Baud rate (TX/RX) is 9600/9600, no parity, 1 stopbits, 8 databits
> Status: Ready
> Capabilities: EXEC Suppressed
> Modem state: Ready
> Special Chars: Escape Hold Stop Start Disconnect Activation
> ^^x none - - none
> Timeouts: Idle EXEC Idle Session Modem Answer Session
> Dispatch
> never never none
> not set
> Idle Session Disconnect Warning
> never
> Login-sequence User Response
> 00:00:30
> Autoselect Initial Wait
> not set
> Modem type is unknown.
> Session limit is not set.
> Time since activation: 01:21:02
> Editing is enabled.
> History is enabled, history size is 10.
> DNS resolution in show commands is enabled
> Full user help is disabled
> Allowed transports are telnet. Preferred is telnet.
> No output characters are padded
> No special data dispatching characters
>
>
> Y.
>
>
> 2010/6/3 Ziv Leyes <zivl at gilat.net<mailto:zivl at gilat.net>>
> I'm more concerned about what do you have configured on the console
> port of your core routers and less on your console router itself.
> Could you please post a config of the aaa settings of a core router
> as well as the con 0 config?
> Ziv
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net
> >] On Behalf Of Youssef Bengelloun-Zahr
> Sent: Wednesday, June 02, 2010 3:23 AM
> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Cisco 2600 with async NM-32 sending wrong characters
>
> Dear List,
>
> I have just installed an Out Of Band network in case of major
> crashes for
> our company.
>
> The architecture is the following :
>
> 3 Cisco 2600 routers gearded with async NM32 modules and octal
> cables. Each
> console is connected to the console port of my backbone routers.
>
> The routers are NATed behind another IPS DSL line. Such kind of OOB
> network
> comes in handy sometimes ;-)
>
>
> My core routers are configured to authenticate with our internal
> radius
> servers before falling back to the enable password, just in case.
> Here is
> what I have started seeing in my RADIUS logs :
>
> *** Received from X.X.X.X port 47832 ....
> Code: Access-Request
> Identifier: 83
> Authentic: <221>r<176>Z<189><221><25><8><
> 142>T<20>b<244>S<176>O
> Attributes:
> User-Name = *"CONS1.IX1>"*
> User-Password =
> "<161><2><22>s[jR<217>
> \<2
> 45>
> R<217><25><129><197><137>^<213>7<220><27>5=h,<192><158>9<1>T<31><196>"
> NAS-IP-Address = X.X.X.X
>
> Wed Jun 2 01:40:19 2010: DEBUG: Handling request with Handler ''
> Wed Jun 2 01:40:19 2010: DEBUG: Deleting session for CONS1.IX1>,
> X.X.X.X,
> Wed Jun 2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
> Wed Jun 2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
> Wed Jun 2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
> is_staff FROM auth_user WHERE username='CONS1.IX1>' AND is_active IS
> TRUE':
> Wed Jun 2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
> CONS1.IX1> [CONS1.IX1>]
> Wed Jun 2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
> CONS1.IX1> [CONS1.IX1>]
> Wed Jun 2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such
> user*
> Wed Jun 2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 2 01:40:19 2010: DEBUG: Reading users file
> /etc/radiator/users-interne
> Wed Jun 2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
> CONS1.IX1> [CONS1.IX1>]Wed Jun 2 01:40:19 2010: DEBUG:
> Radius::AuthFILE
> REJECT: No such user: CONS1.IX1> [CONS1.IX1>]
> Wed Jun 2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such
> user
> Wed Jun 2 01:40:19 2010: INFO: Access rejected for CONS1.IX1>: No
> such user
> Wed Jun 2 01:40:19 2010: DEBUG: Packet dump:
> *** Sending to 77.246.80.138 port 47832 ....
> Code: Access-Reject
> Identifier: 83
> Authentic: <221>r<176>Z<189><221><25><8><142>T<20>b<244>S<176>O
> Attributes:
> Reply-Message = "Request Denied"
>
>
> *** Received from X.X.X.X port 52229 ....
> Code: Access-Request
> Identifier: 181
> Authentic: z5<183>6L<27>z`<191><221><22><6><213><20><13><143>
> Attributes:
> User-Name = *"CONS2.IX1> ### Login failed"*
> User-Password = "UP<214><250><11><158>
> %<245><251>jJ<195>M<145>c<2>"
> NAS-IP-Address = X.X.X.X
>
> Wed Jun 2 01:40:19 2010: DEBUG: Handling request with Handler ''
> Wed Jun 2 01:40:19 2010: DEBUG: Deleting session for CONS2.IX1>
> ### Login
> failed, X.X.X.X,
> Wed Jun 2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL
> Wed Jun 2 01:40:19 2010: DEBUG: Handling with Radius::AuthSQL:
> Wed Jun 2 01:40:19 2010: DEBUG: Query is: 'SELECT password, is_staff,
> is_staff FROM auth_user WHERE username='CONS2.IX1> ### Login failed'
> AND
> is_active IS TRUE':
> Wed Jun 2 01:40:19 2010: DEBUG: *Radius::AuthSQL looks for match with
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun 2 01:40:19 2010: DEBUG: Radius::AuthSQL REJECT: No such user:
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun 2 01:40:19 2010: DEBUG: AuthBy SQL result: REJECT, No such
> user*
> Wed Jun 2 01:40:19 2010: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 2 01:40:19 2010: DEBUG: Radius::AuthFILE looks for match with
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun 2 01:40:19 2010: DEBUG: Radius::AuthFILE REJECT: No such
> user:
> CONS2.IX1> ### Login failed [CONS2.IX1> ### Login failed]
> Wed Jun 2 01:40:19 2010: DEBUG: AuthBy FILE result: REJECT, No such
> user
> Wed Jun 2 01:40:19 2010: INFO: Access rejected for CONS2.IX1> ###
> Login
> failed: No such user
> Wed Jun 2 01:40:19 2010: DEBUG: Packet dump:
>
>
> Where :
>
> - X.X.X.X is the source ip address of my core equipment used to
> reach the
> internal RADIUS servers
>
> - CONS1.IX1 and CONS2.IX1 are my console routers' names.
>
>
> The consoles keep on flooding the RADIUS servers with such a like
> requests
> continuasly. For your information, we have been using theese console
> routers
> for years now but they connected directly to the backcone until
> tonight.
>
> Here is the output of a sh version of the consoles :
>
> CONS1.IX1#sh version
> Cisco Internetwork Operating System Software
> IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.2(46a), RELEASE
> SOFTWARE
> (fc1)
> Copyright (c) 1986-2007 by cisco Systems, Inc.
> Compiled Wed 11-Jul-07 20:22 by pwade
> Image text-base: 0x8000808C, data-base: 0x812948AC
>
> ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>
> CONS1.IX1 uptime is 1 hour, 51 minutes
> System returned to ROM by reload
> System image file is "flash:c2600-ik9s-mz.122-46a.bin"
>
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are
> unable
> to comply with U.S. and local laws, return this product immediately.
>
> A summary of U.S. laws governing Cisco cryptographic products may be
> found
> at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>
> If you require further assistance please contact us by sending email
> to
> export at cisco.com<mailto:export at cisco.com>.
>
> cisco 2621 (MPC860) processor (revision 0x102) with 60416K/5120K
> bytes of
> memory.
> Processor board ID JAD04290CT0 (2953820044)
> M860 processor: part number 0, mask 49
> Bridging software.
> X.25 software, Version 3.0.0.
> 2 FastEthernet/IEEE 802.3 interface(s)
> 32 terminal line(s)
> 32K bytes of non-volatile configuration memory.
> 16384K bytes of processor board System flash (Read/Write)
>
> Configuration register is 0x2102
>
>
> Here is my template of configuration :
>
>
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname CONS3.IX1
> !
> aaa new-model
> aaa authentication login default local enable
> aaa authorization exec default local
> enable secret 5 $1$B6xi$Wvur3lYfDVqH8Ztaq9dg51
> !
> username XXXX privilege 15 password 7 120E041C131F09142F29252A3C202C
> ip subnet-zero
> ip cef
> !
> !
> no ip domain-lookup
> ip domain-name XXXXX
> ip host LOCALHOST 192.168.0.1
> ip name-server XXX.XXX.XXX.XXX
> ip name-server XXX.XXX.XXX.XXX
> !
> ip ssh time-out 60
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
> description Link to Freebox
> ip address 192.168.0.1 255.255.255.0
> duplex auto
> speed auto
> no shut
> !
> interface FastEthernet0/1
> no ip address
> shutdown
> duplex auto
> speed auto
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 192.168.0.254
> no ip http server
> !
> !
> menu login text 1 se connecter sur BB1.IX1-SUP1
> menu login command 1 telnet LOCALHOST 2033
> menu login text 2 se connecter sur BB1.IX1-SUP2
> menu login command 2 telnet LOCALHOST 2034
> menu login text 3 se connecter sur LNS1.IX1
> menu login command 3 telnet LOCALHOST 2035
> menu login text 4 se connecter sur LNS2.IX1
> menu login command 4 telnet LOCALHOST 2036
> menu login text 5 se connecter sur FW1.IX1
> menu login command 5 telnet LOCALHOST 2037
> menu login text 6 se connecter sur FW2.IX1
> menu login command 6 telnet LOCALHOST 2038
> menu login text 7 se connecter sur FW3.IX1
> menu login command 7 telnet LOCALHOST 2039
> menu login text 8 se connecter sur LNS7.IX1
> menu login command 8 telnet LOCALHOST 2040
> menu login text 0 sortir du menu
> menu login command 0 menu-exit
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> line 33 64
> exec-timeout 0 0
> no exec
> transport input all
> escape-character 3
> stopbits 1
> line aux 0
> line vty 0 4
> exec-timeout 30 0
> logging synchronous
> transport input ssh
> !
> ntp server XXX.XXX.XXX.XXX
> ntp server XXX.XXX.XXX.XXX
> end
>
>
> Any ideas to what my problem might be ?
>
> Thanks in advance.
>
> Best regards.
>
> Y.
>
> --
> Youssef BENGELLOUN-ZAHR ..................
> Ingénieur Réseaux et Télécoms
>
>
> Technopole de l'Aube en Champagne - BP 601 - 10901 TROYES Cedex 9
> Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE
> Tel +33 (0) 825 000 720
> Tel. direct +33 (0) 1 77 35 59 14
> Tel. portable +33 (0) 6 22 42 63 80
> Email ybz at 720.fr<mailto:ybz at 720.fr>
> ...................................www.720.fr<http://www.720.fr>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net
> >
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals &
> computer viruses.
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
>
>
>
>
>
>
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals &
> computer viruses.
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net
> >
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> --
> Youssef BENGELLOUN-
> ZAHR ......................................................
> Ingénieur Réseaux et Télécoms
>
>
> Technopole de l'Aube en Champagne - BP 601 - 10901 TROYES Cedex 9
> Agence Paris : 6, rue Charles Floquet - 92120 MONTROUGE
> Tel +33 (0) 825 000 720
> Tel. direct +33 (0) 1 77 35 59 14
> Tel. portable +33 (0) 6 22 42 63 80
> Email ybz at 720.fr<mailto:ybz at 720.fr>
> ...
> ...
> ...
> ...
> ...
> ...
> ...
> ...
> ...
> ...
> .................................................................www.
> 720.fr<http://www.720.fr>
>
>
>
>
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals &
> computer viruses.
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
>
>
>
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals &
> computer viruses.
> ***
> ***
> ***
> ***
> ***
> *********************************************************************
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list