topic Re: TCP port not passing in Switching

TCP port not passing

dimkat2903 — Wed, 02 Nov 2022 19:37:57 GMT

Greetings,

I am facing an issue. I have two windows servers where they can ping each other. Both of them are connected on the same switch (3850) and are assigned on the same VLAN. However, when I’m doing a test net connection from server 1 to server 2 on TCP port 135 then the TCP net connection fails. Firewall on both servers is disabled and the strange thing is that when I connect both servers back to back through Ethernet then the test net connection succeeds and TCP port 135 passes. Also, RPC service is enabled on both servers. I tried to configure an extended ACL to allow TCP from any to any and I applied it on the outbound direction to the interface that server 1 is connected so that to allow TCP 135 going to Server 2 but still same issue.

what could be the root cause please? Thank you

Re: TCP port not passing

balaji.bandi — Wed, 02 Nov 2022 20:44:55 GMT

what is the version of code running Cat 3850, and can you post the config of the switch (show run)

Re: TCP port not passing

dimkat2903 — Thu, 03 Nov 2022 11:41:38 GMT

The firmware version is 16.12.05b

Re: TCP port not passing

balaji.bandi — Thu, 03 Nov 2022 12:24:35 GMT

show run ( will help to look what wrong)

if this layer 2 or Layer3, then run some debug ?

Re: TCP port not passing

dimkat2903 — Sat, 05 Nov 2022 07:15:12 GMT

here is the switch configuration. the switch is a L3. can you suggest me some good debug commands for troubleshooting? is it something related to the global ACLs? As i said, i tried to set an extended ACL to allow TCP port 135 from Server 1 to Server 2 and i applied the ACL on the outbound direction to the switch port where Server 1 is currently connected but still same issue. Any thoughts please? Need to provide a solution asap so your support is highly appreciated!

Re: TCP port not passing

MHM Cisco World — Sat, 05 Nov 2022 09:49:52 GMT

I see ACL and permit many TCP port,
so first do traceroute from one server to other
and see hop it pass,
then check ACL under each hop (path between Server)
then do show ip access list, check hit count where it increase when you connect using TCP port.

Re: TCP port not passing

dimkat2903 — Sun, 06 Nov 2022 06:54:10 GMT

Actually both servers are connected on the same switch so no hops are in between them.

Which ACL is affecting port 135 not to pass?

Re: TCP port not passing

balaji.bandi — Sun, 06 Nov 2022 10:19:56 GMT

You have provided the config, you are not given input where the Servers connected what port and what VLAN

1. on the Switch Server 1 connected to what port ?

2. on the Switch Server 2 connected to what port ?

3. what VLAN you think they are suppose to be ?

4. what is the Server 1 IP address

5. what is the Server 2 IP address?

6. can you post from Servers ipconfig /all

7. Can you confirm From Server 1 to Server 2 that you can ping? and vice versa?

8. post-show IP arp from switch

Re: TCP port not passing

MHM Cisco World — Sun, 06 Nov 2022 10:53:58 GMT

ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
!
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
!
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
!
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
!
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data

these ACL apply where ? does it apply yo CoPP of SW or apply to VLAN ? which VLAN these ACL apply to is it same as Server or not ?

Re: TCP port not passing

dimkat2903 — Sun, 06 Nov 2022 17:09:05 GMT

All above ACLs are some default ones and were not created by me and are not applied to any switch port. The switch ports both servers are connected to, don’t have any ACLs applied.

Re: TCP port not passing

Georg Pauwen — Sun, 06 Nov 2022 19:04:44 GMT

Hello,

since both of your servers are in the same Vlan, no layer 3 ACLs would apply, in theory. Looking at your configuration, is there a specific reason why 'ip host-routing' is enabled ? I have never seen this on a straight layer 3 switch. Try to disable that, and simply enable 'ip routing' instead...

Re: TCP port not passing

MHM Cisco World — Sun, 06 Nov 2022 20:33:59 GMT

do you config any CallManager, CallManager ca use TCP port 135
may this the issue because there is conflict between two service.
https://www.voipinfo.net/docs/cisco/43881-ccm-tcp-udp-ports.pdf

waiting your reply