Only one user can log into a switch via Telnet

Question:

 The switch will allow only Cisco Catalyst 3560 one user to connect to it at any given time. Below are the configs and oputputs.

ol-dr-6509-01#show users

    Line       User       Host(s)              Idle       Location

*  1 vty 0     gkeo   idle                 00:00:00 192.168.3.130

   2 vty 1                idle                    23w6d 

   3 vty 2                idle                    37w4d 

   4 vty 3                idle                    37w4d 

   5 vty 4                idle                    never 

   6 vty 5                idle                    never 

   7 vty 6                idle                    never 

   8 vty 7                idle                    never 

   9 vty 8                idle                    never 

  10 vty 9                idle                    never 

  11 vty 10               idle                    never 

  12 vty 11               idle                    never 

  13 vty 12               idle                    never 

  14 vty 13               idle                    never 

  15 vty 14               idle                    never 

  16 vty 15               idle                    never 

  Interface      User        Mode                     Idle     Peer Address

net_mgmt>>192.168.1.2

Trying 192.168.1.2 ...

% Connection refused by remote host

-----

!

aaa new-model

!

!

aaa group server tacacs+ site-tacacs

server 192.168.3.4

server-private 192.168.3.4 key 7 xxxxxxx

ip vrf forwarding vpn_mgmt

ip tacacs source-interface Vlan23

!

aaa authentication login default group site-tacacs local

aaa authentication enable default group site-tacacsenable none

aaa authorization exec default group site-tacacs local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

!

!

line vty 0 4

session-timeout 1

exec-timeout 30 0

password 7 xxxxxxx

line vty 5 15

session-timeout 1

exec-timeout 30 0

password 7 xxxxxx

Answer:

I've found a bug (CSCeg52893) where the symptoms are "VTY or TTY sessions may hang after unsuccessful authentication attempts to an external AAA server".

Although the show line info you provided does not really match, there's some additional information in the bug that states:

Symptom: A VTY session on a 7206VXR may become hung and be unable to be cleared. The session does not drop after the exec-timeout period. Conditions: This condition is noted using IOS version 12.3(3)B1.

Workaround: The workaround is to reload the router.

Further Problem Description: The hung VTY session cannot be cleared using "clear line". It has no TCP TCB entry in "show tcp brief". The detailed TCP information from "show tcp " shows the TCP state as CLOSED.

The above seems pretty close to what you're seeing so I think this is a possibility.

It's not great that the workaround is a reload, but the bug also states:

To prevent the symptom from occurring, configure the maximum authentication attempts on the Cisco platform to be lower than the maximum authentication attempts on the external AAA server by entering the aaa authentication attempts login number-of-attempts global configuration command, in which the number-of-attempts argument is a value that is smaller then the maximum authentication attempts that are configured on the external AAA server.

If you are hitting this you can at least avoid hitting it again.

I can't get a list of all known affected versions to confirm whether 12.2(33)SXI5 is listed or not so it's probably worth going to TAC with this and see and they can confirm Cisco 3560 Switch whether you're definitely hitting this and getting a confirmation of the fix.