Daren Matthews

An aide-memoir:

Cisco3750#who
Line       User       Host(s)              Idle       Location
1 vty 0                idle                    13w0d l00151267.domainl.com
2 vty 1                172.23.64.17                                14w3d 172.23.64.10
3 vty 2                idle                    15w3d l00151267.domainl.com
4 vty 3                idle                    13w0d l00151267.domainl.com
5 vty 4                idle                    14w0d l00151267.domainl.com
6 vty 5                idle                    13w2d l00151267.domainl.com
7 vty 6                idle                     9w6d 172.23.64.10
9 vty 8                idle                     1w6d l00151267.domainl.com
10 vty 9                idle                     3w2d 172.23.64.110
* 11 vty 10               idle                 00:00:00 l00151267.domainl.com

Interface      User        Mode                     Idle     Peer Address

Cisco3750#
Cisco3750#sh tcp brief
TCB       Local Address           Foreign Address        (state)
061DDCA8  172.23.64.9.23          l00151267.domain.31161 ESTAB
06097744  172.23.64.9.23          l00151267.domain.20077 ESTAB
063AA230  172.23.64.9.23          l00151267.domain.52497 ESTAB
060B1F88  172.23.64.9.23          172.23.64.10.27657     ESTAB
0626B478  172.23.64.9.23          l00151267.domain.2136  ESTAB
063ECE14  172.23.64.9.23          l00151267.domain.25441 ESTAB
0626C384  3.3.3.3.23              172.23.64.110.3579     ESTAB
063E56DC  172.23.64.9.23          172.23.64.10.14851     ESTAB
063A9AD0  172.23.64.9.23          l00151267.domain.23547 ESTAB
063A81E8  172.23.64.81.51714      adc-dis.23             ESTAB
063E4C8C  172.23.64.9.23          l00151267.domain.50301 ESTAB
Cisco3750#

Cisco3750#clear tcp tcb ?
<0x0-0xFFFFFFFF>  TCB address

Cisco3750#clear tcp tcb 063ECE14
[confirm]
[OK]
Cisco3750#

CSCsk239

Symptoms: A router running an IOS image may stop accepting incoming TELNET connections.

Conditions: Occurs when 20 or more VRFs are configured and they have incoming TCP connections arriving at the host for non-existing services from different VRFs.

Workaround: Use show tcp brief all command to view TCB that have local and foreign addresses as “*.*”. Clear those entries using the following command clear tcp tcb address of the TCB.

Further Problem Description: When an incoming SYN is received for a non-existing service, for example to BGP port with BGP not configured, TCP leaks a TCB that has laddr and faddr as *.*. This TCB is usually reused for the next incoming connection.

However when VRFs are configured, such TCB can be reused only for that VRF. If there are several VRFs configured in the box, one TCB per VRF will be leaked. And there is a limit of 20 such “wild TCBs” in the system. So, once we reach the limit of 20, because we leak one per each different VRF, any connection request coming in will be denied.