Cisco – Clear idle VTY sessions (TCP Control Blocks)
An aide-memoir:
Cisco3750#who
Line User Host(s) Idle Location
1 vty 0 idle 13w0d l00151267.domainl.com
2 vty 1 172.23.64.17 14w3d 172.23.64.10
3 vty 2 idle 15w3d l00151267.domainl.com
4 vty 3 idle 13w0d l00151267.domainl.com
5 vty 4 idle 14w0d l00151267.domainl.com
6 vty 5 idle 13w2d l00151267.domainl.com
7 vty 6 idle 9w6d 172.23.64.10
9 vty 8 idle 1w6d l00151267.domainl.com
10 vty 9 idle 3w2d 172.23.64.110
* 11 vty 10 idle 00:00:00 l00151267.domainl.com
Interface User Mode Idle Peer Address
Cisco3750#
Cisco3750#sh tcp brief
TCB Local Address Foreign Address (state)
061DDCA8 172.23.64.9.23 l00151267.domain.31161 ESTAB
06097744 172.23.64.9.23 l00151267.domain.20077 ESTAB
063AA230 172.23.64.9.23 l00151267.domain.52497 ESTAB
060B1F88 172.23.64.9.23 172.23.64.10.27657 ESTAB
0626B478 172.23.64.9.23 l00151267.domain.2136 ESTAB
063ECE14 172.23.64.9.23 l00151267.domain.25441 ESTAB
0626C384 3.3.3.3.23 172.23.64.110.3579 ESTAB
063E56DC 172.23.64.9.23 172.23.64.10.14851 ESTAB
063A9AD0 172.23.64.9.23 l00151267.domain.23547 ESTAB
063A81E8 172.23.64.81.51714 adc-dis.23 ESTAB
063E4C8C 172.23.64.9.23 l00151267.domain.50301 ESTAB
Cisco3750#
Cisco3750#clear tcp tcb ?
<0x0-0xFFFFFFFF> TCB address
Cisco3750#clear tcp tcb 063ECE14
[confirm]
[OK]
Cisco3750#
CSCsk239
Symptoms: A router running an IOS image may stop accepting incoming TELNET connections.
Conditions: Occurs when 20 or more VRFs are configured and they have incoming TCP connections arriving at the host for non-existing services from different VRFs.
Workaround: Use show tcp brief all command to view TCB that have local and foreign addresses as “*.*”. Clear those entries using the following command clear tcp tcb address of the TCB.
Further Problem Description: When an incoming SYN is received for a non-existing service, for example to BGP port with BGP not configured, TCP leaks a TCB that has laddr and faddr as *.*. This TCB is usually reused for the next incoming connection.
However when VRFs are configured, such TCB can be reused only for that VRF. If there are several VRFs configured in the box, one TCB per VRF will be leaked. And there is a limit of 20 such “wild TCBs” in the system. So, once we reach the limit of 20, because we leak one per each different VRF, any connection request coming in will be denied.