cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

76
Views
2
Helpful
3
Replies
Cisco Employee

Traffic on port TCP/9399 between primary and secondary administrative nodes

Hi,

Working with a customer ISE deployment (version 2.2 patch 7) and we are seeing traffic between the PAN and the SAN on port TCP/9399.

  • Q1: Can someone please tell me what that port is used for?

        The closest thing I could find the documentation was TCP/9300 for Elastic Search, but that's a bit far off from what we are seeing.

  • Q2: Is the use of this port intentional?

        If so, we need to include it in our documentation.

        If not, then I guess this is a bug?

Also, in case anyone asks, I can confirm the source port for this traffic was an ephemeral one (i.e. different from one connection to another, with a random value and above 1024).

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Traffic on port TCP/9399 between primary and secondary administrative nodes

Ok, I was able to replicate this in the lab, by doing an Context Visibility reset between a PAN and a SAN (i.e. "application configure ise" -> option 19):

1.png

The below logs are from the SAN:

logs/ise-elasticsearch.log:[2018-05-22 07:32:44,987][INFO ][transport                ] [testice02] publish_address {testice02.<<EDITED>>/172.20.10.21:9399}, bound_addresses {172.20.10.21:9399} logs/ise-elasticsearch.log:[2018-05-22 07:32:49,567][INFO ][cluster.service          ] [testice02] new_master {testice02}{eWJ8Xpa1TQClTWZmqTfxIg}{172.20.10.21}{testice02.<<EDITED>>/172.20.10.21:9399}, reason: zen-disco-join(elected_as_master, [0] joins received) logs/ise-elasticsearch.log:[2018-05-22 07:33:46,552][WARN ][discovery.zen.ping.unicast] [testice02] [1] failed send ping to {#zen_unicast_1#}{172.20.10.20}{testice01.<<EDITED>>/172.20.10.20:9399}

In the meantime, I was also able to confirm with someone from the BU that this is a new port being used.

It just needs to be added to the documentation.

3 REPLIES 3
Cisco Employee

Re: Traffic on port TCP/9399 between primary and secondary administrative nodes

I am not aware any ISE services using it.

Please use ISE admin CLI "show tech" and look for "netstat -tunap...", which will give us an idea which program name is using it. Below is a sample output:

*****************************************

Running netstat -tunap...

*****************************************

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name

tcp        0      0 127.0.0.1:6379         0.0.0.0:*              LISTEN      28529/redis-server

tcp        0      0 127.0.0.1:31755        0.0.0.0:*              LISTEN      28319/timestensubd

tcp        0      0 127.0.0.1:25550        0.0.0.0:*              LISTEN      28324/ttcserver

Highlighted
Cisco Employee

Re: Traffic on port TCP/9399 between primary and secondary administrative nodes

Thanks for the response!

I will see if I can get that information, but it seems to have coincided with the moment we were re-building the Elastic Search DB (as per the notes for CSCvh48558, in a distributed deployment with PAN and SAN).

Regards,

George

Cisco Employee

Re: Traffic on port TCP/9399 between primary and secondary administrative nodes

Ok, I was able to replicate this in the lab, by doing an Context Visibility reset between a PAN and a SAN (i.e. "application configure ise" -> option 19):

1.png

The below logs are from the SAN:

logs/ise-elasticsearch.log:[2018-05-22 07:32:44,987][INFO ][transport                ] [testice02] publish_address {testice02.<<EDITED>>/172.20.10.21:9399}, bound_addresses {172.20.10.21:9399} logs/ise-elasticsearch.log:[2018-05-22 07:32:49,567][INFO ][cluster.service          ] [testice02] new_master {testice02}{eWJ8Xpa1TQClTWZmqTfxIg}{172.20.10.21}{testice02.<<EDITED>>/172.20.10.21:9399}, reason: zen-disco-join(elected_as_master, [0] joins received) logs/ise-elasticsearch.log:[2018-05-22 07:33:46,552][WARN ][discovery.zen.ping.unicast] [testice02] [1] failed send ping to {#zen_unicast_1#}{172.20.10.20}{testice01.<<EDITED>>/172.20.10.20:9399}

In the meantime, I was also able to confirm with someone from the BU that this is a new port being used.

It just needs to be added to the documentation.