04-07-2021 03:24 PM - edited 04-07-2021 03:25 PM
I added a syslog server to DNAC (under external services -> destinations). The DNAC UI provides the ability to test the server. The test would fail and it would mention that the Connection was either refused/unreachable by the host. Upon performing a packet capture, I noticed that the DNAC enterprise port tries to reach the syslog server via port 7, which is TCP/UDP echo. This of course is blocked on the syslog server side. I wonder why this is being used to validate the connection? Is that what DNAC uses to also validate other connections like the enterprise port and management port when they are initially provisioned?
04-09-2021 04:11 PM
According to the documentation the enterprise port get validated by using ICMP.
But apparently the syslog validation uses the ECHO protocol instead.
Test against a server that does not exist:
tcpdump -r syslogdump.pcap -n -vv -X reading from file syslogdump.pcap, link-type EN10MB (Ethernet) 23:00:00.549886 IP (tos 0x0, ttl 63, id 52530, offset 0, flags [DF], proto TCP (6), length 60) 10.10.8.11.6171 > 10.254.0.80.7: Flags [S], cksum 0x1d91 (incorrect -> 0x766c), seq 187425310, win 65280, options [mss 1360,sackOK,TS val 438015501 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c cd32 4000 3f06 5127 0a0a 080b E..<.2@.?.Q'.... 0x0010: 0afe 0050 181b 0007 0b2b e21e 0000 0000 ...P.....+...... 0x0020: a002 ff00 1d91 0000 0204 0550 0402 080a ...........P.... 0x0030: 1a1b 960d 0000 0000 0103 0307 ............ 23:00:01.568200 IP (tos 0x0, ttl 63, id 52531, offset 0, flags [DF], proto TCP (6), length 60) 10.10.8.11.6171 > 10.254.0.80.7: Flags [S], cksum 0x1d91 (incorrect -> 0x7271), seq 187425310, win 65280, options [mss 1360,sackOK,TS val 438016520 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c cd33 4000 3f06 5126 0a0a 080b E..<.3@.?.Q&.... 0x0010: 0afe 0050 181b 0007 0b2b e21e 0000 0000 ...P.....+...... 0x0020: a002 ff00 1d91 0000 0204 0550 0402 080a ...........P.... 0x0030: 1a1b 9a08 0000 0000 0103 0307 ............ 23:00:03.584176 IP (tos 0x0, ttl 63, id 52532, offset 0, flags [DF], proto TCP (6), length 60) 10.10.8.11.6171 > 10.254.0.80.7: Flags [S], cksum 0x1d91 (incorrect -> 0x6a91), seq 187425310, win 65280, options [mss 1360,sackOK,TS val 438018536 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c cd34 4000 3f06 5125 0a0a 080b E..<.4@.?.Q%.... 0x0010: 0afe 0050 181b 0007 0b2b e21e 0000 0000 ...P.....+...... 0x0020: a002 ff00 1d91 0000 0204 0550 0402 080a ...........P.... 0x0030: 1a1b a1e8 0000 0000 0103 0307 ............
Test against a server that exists but without SYSLOG installed(The test succeeds from DNAC):
tcpdump -r syslogdump2.pcap -n not port 22 reading from file syslogdump2.pcap, link-type EN10MB (Ethernet) 23:03:44.435991 IP 10.10.8.11.25705 > 10.254.0.18.7: Flags [S], seq 1739346417, win 65280, options [mss 1360,sackOK,TS val 2452667837 ecr 0,nop,wscale 7], length 0 23:03:44.469007 IP 10.254.0.18.7 > 10.10.8.11.25705: Flags [R.], seq 0, ack 1739346418, win 0, length 0 23:03:44.474508 IP 10.10.8.11.15245 > 10.254.0.18.514: [|syslog] 23:03:44.534451 IP 10.254.0.18 > 10.10.8.11: ICMP 10.254.0.18 udp port 514 unreachable, length 83 23:03:48.440573 IP 10.10.8.11.12832 > 10.254.0.18.7: Flags [S], seq 3713158389, win 65280, options [mss 1360,sackOK,TS val 2452671841 ecr 0,nop,wscale 7], length 0 23:03:48.489483 IP 10.254.0.18.7 > 10.10.8.11.12832: Flags [R.], seq 0, ack 3713158390, win 0, length 0 23:03:48.489698 IP 10.10.8.11.26730 > 10.254.0.18.514: [|syslog] 23:03:48.549490 IP 10.254.0.18 > 10.10.8.11: ICMP 10.254.0.18 udp port 514 unreachable, length 83
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide