topic Re: ISE How to check TCP/UDP port connectivity in absence of telnet in Network Access Control

ISE How to check TCP/UDP port connectivity in absence of telnet

jitendrac — Wed, 22 May 2024 06:10:27 GMT

Hi Community,

Since ISE does not support telnet or nc command, is there any other alternative to check if ports are open from ISE to the target server? For example, if I want to check if TCP/445 is open from ISE towards the AD server.

I found someone suggesting the use of SSH command as follows.

ISE/admin# ssh x.x.x.x admin port 445

However, I am not sure if this is the proper way to check the open port. What if I want to check the UDP port

Re: ISE How to check TCP/UDP port connectivity in absence of telnet

balaji.bandi — Wed, 22 May 2024 06:47:19 GMT

ISE have nmap - can you use that to scan ?

nmap -sU -v x.x.x.x

Re: ISE How to check TCP/UDP port connectivity in absence of telnet

ahollifield — Wed, 22 May 2024 12:47:36 GMT

What exactly are you trying to do? Troubleshoot connectivity from ISE to AD? I would open a TAC case, they can login with root and help to verify the connectivity from the bash CLI.

Re: ISE How to check TCP/UDP port connectivity in absence of telnet

Marvin Rhoads — Wed, 22 May 2024 15:51:39 GMT

nmap is not available to ISE admins from the cli (without TAC enabling root shell).

You can do a tcpdump while exercising AD tests from the GUI. For example:

tech dumptcp interface GigabitEthernet0 console filter "ip host <your AD sever address>"

Re: ISE How to check TCP/UDP port connectivity in absence of telnet

jitendrac — Wed, 22 May 2024 17:22:09 GMT

As an Implementation engineer, I wanted to verify whether the required TCP and UDP ports are open from the ISE server to the AD Server.

I just wanted to know the command in ISE to check TCP and UDP connectivity from the ISE server to the any other Server. Since telnet command is removed post 2.1 it is difficult to check basic TCP and UDP connectivity between ISE servers and any other target server.

Re: ISE How to check TCP/UDP port connectivity in absence of telnet

Arne Bier — Thu, 23 May 2024 00:42:58 GMT

There is no network layer test to check for open UDP ports - you must test the UDP port with the application that requires it (e.g. DNS, NTP, RADIUS). But with TCP it's easy to test with the telnet command, as you mentioned. I also don't comprehend why anyone would remove the telnet command and not give us a decent replacement to test for TCP ports. I have one little hack that works. I use the SSH command on the ISE CLI - e.g. to test whether you can get a TCP SYN/ACK from 10.10.10.10 on port 49

ssh 10.10.10.10 dummy port 49

In the working scenario, you get a prompt back from ISE

kex_exchange_identification: read: Connection reset by peer

In the case where there is no TCP SYN/ACK, you'll see a message

ssh: connect to host 10.10.10.10 port 49: Connection timed out