https://community.cisco.com/t5/network-security/nodo-ise/m-p/4126453#M1072363 <P>Sorry I translated your question google. It could be that your ISE nodes are doing NMAP Scans on the clients for profiling? Check your PSN nodes to see if profiling is enabled and whether you have NMAP Scans configured.&nbsp;<BR /><BR /></P> Tue, 28 Jul 2020 06:01:08 GMT Arne Bier 2020-07-28T06:01:08Z https://community.cisco.com/t5/network-security/nodo-ise/m-p/4126389#M1072356 <P>Cordial saludo,&nbsp;</P><P>&nbsp;</P><P>Se ha reportado desde la administración de firewall que hay solicitudes SSH de un nodo ISE a diferentes usuarios de la red (diferentes usurarios en diferentes subredes- este trafico por política es denegado), Hay alguna característica que pueda generar este comportamiento.&nbsp;</P> Tue, 28 Jul 2020 00:41:24 GMT https://community.cisco.com/t5/network-security/nodo-ise/m-p/4126389#M1072356 alejandro.aguilar 2020-07-28T00:41:24Z https://community.cisco.com/t5/network-security/nodo-ise/m-p/4126453#M1072363 <P>Sorry I translated your question google. It could be that your ISE nodes are doing NMAP Scans on the clients for profiling? Check your PSN nodes to see if profiling is enabled and whether you have NMAP Scans configured.&nbsp;<BR /><BR /></P> Tue, 28 Jul 2020 06:01:08 GMT https://community.cisco.com/t5/network-security/nodo-ise/m-p/4126453#M1072363 Arne Bier 2020-07-28T06:01:08Z https://community.cisco.com/t5/network-security/nodo-ise/m-p/4126458#M1072366 <P>ISE should not be <STRONG>initiating</STRONG> ssh requests as part of its normal operations.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_0110.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_0110.html</A></P> <P>If an administrator logs into the ISE cli they can initiate ssh manually from there.</P> <PRE>ise-latest/admin# show ver Cisco Application Deployment Engine OS Release: 3.0 ADE-OS Build Version: 3.0.7.071 ADE-OS System Architecture: x86_64 Copyright (c) 2005-2019 by Cisco Systems, Inc. All rights reserved. Hostname: ise-latest Version information of installed applications --------------------------------------------- Cisco Identity Services Engine --------------------------------------------- Version : 2.7.0.356 Build Date : Thu Nov 14 10:21:59 2019 Install Date : Wed Jul 22 14:27:59 2020 Cisco Identity Services Engine Patch --------------------------------------------- Version : 2 Install Date : Wed Jul 22 16:57:24 2020 ise-latest/admin# <STRONG><FONT color="#FF0000">ssh ? &lt;WORD&gt; IPv4/IPv6 address or hostname of a remote system (Max Size - 64)</FONT></STRONG> delete Delete the ssh fingerprint for a specific host ise-latest/admin# ssh</PRE> <P>&nbsp;EDIT: It could be part of an NMAP profiling scan as&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a> mentioned. In that case, there would be multiple destination ports as the ISE node scans the host(s) or subnet(s). You can check if it's enabled by looking at the node under Administration &gt; System&gt; Deployment and then selecting and editing the node:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISE NMAP setting.png" style="width: 949px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/80278i1AA43A691E82F4CD/image-size/large?v=v2&amp;px=999" role="button" title="ISE NMAP setting.png" alt="ISE NMAP setting.png" /></span></P> Tue, 28 Jul 2020 06:15:25 GMT https://community.cisco.com/t5/network-security/nodo-ise/m-p/4126458#M1072366 Marvin Rhoads 2020-07-28T06:15:25Z