Cisco - disconnect rogue telnet sessions on Cisco 2800

Good day all

Please leave a comment below if you have any Cisco related questions and need some clarity on how to resolve or troubleshoot certain problems or if you would just like a tutorial on something. I will then put together a short little document on how to approach that problem if I am able

Today however I would like to share an alternative solution for disconnecting rogue telnet or SSH sessions that are filling up your VTY lines on your cisco router thus preventing you from remotely being able to manage the device (see below example):

---

epic@/var/dir~21:33:51$~~telnet 156.96.x.x
Trying 156.96.x.x...
telnet: connect to address 156.96.x.x: Connection refused

epic@/var/dir~21:33:58$~ssh 156.96.x.x
ssh: connect to host 156.96.x.x port 22: Connection refused
epic@/var/dir~21:34:00$~~

---

In my case it was a Cisco 2801. For some reason the normal “disconnect” command was not working and due to this being a live router, a restart was out of the question.

---

example#sh inv
NAME: "chassis", DESCR: "2801 chassis"
PID: CISCO2801 , VID: VXX , SN: FCZ13XXXXXXXXXX

---

I do have protections in place such as the “exec-timeout” command as well as applying an inbound ACL under the line VTY section however these were not working either. This is probably an issue with the IOS or this version of router, which I will have to look into. So how could I clear the VTY lines in the meantime (see example of all VTY lines, 0-4 in use for many months)

---

example#sh user
Line User Host(s) Idle Location
194 vty 0 idle 20w0d 115.217.x.x
195 vty 1 idle 14w3d 201.184.x.x
196 vty 2 idle 21w3d 116.73.x.x
197 vty 3 idle 15w5d 45.248.x.x
198 vty 4 idle 19w4d 202.88.x.x
*201 vty 7 epic idle 00:00:45 156.96.x.x

Interface User Mode Idle Peer Address

example#

---

The solution is to kill the TCP session itself, issue the command “sh tcp brief” to see all the current TCP sessions on the router then issue the command “clear tcp tcb” and the corresponding TCB number to terminate the session. See example below:

---

example#sh tcp brief
TCB Local Address Foreign Address (state)
65F8A64C 156.96.x.x 50962 196.33.x.x.49 ESTAB
66B2F074 156.96.x.x 23235 196.33.x.x.49 ESTAB
66AF7AA4 196.14.x.x.23 116.73.x.x.41262 ESTAB
65615004 196.14.x.x.23 115.217.x.x.47395 ESTAB
657BA40C 196.14.x.x.23 45.248.x.x.45008 ESTAB
6561DD60 156.96.x.x.59176 196.33.x.x.49 ESTAB
65DBCB58 156.96.x.x.23 156.96.x.x.43522 ESTAB
65613540 196.14.x.x.23 37.191.x.x.32944 LASTACK
657B6D38 196.26.x.x.22 193.201.x.x.42500 FINWAIT1
66B0E8C4 196.26. x.x.23 201.184.x.x.46704 ESTAB
66AFF790 196.26.x.x.23 202.88.x.x.40342 ESTAB
example#

example#clear tcp tcb 65615004
[confirm]
[OK]
example#clear tcp tcb 66B0E8C4
[confirm]
[OK]
example#clear tcp tcb 66AF7AA4
[confirm]
[OK]
example#clear tcp tcb 657BA40C
[confirm]
[OK]
example#clear tcp tcb 66AFF790
[confirm]
[OK]
example#

---

After the corresponding TCP session has been killed you will notice the VTY lines are clear once again:

---

example#sh user
Line User Host(s) Idle Location
*201 vty 7 epic idle 00:00:09 15

Interface User Mode Idle Peer Address

example#

---

Hope this will help someone with a similar issue on the 2800 series routers

Have a great day, keep on rocking :D