cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2969
Views
1
Helpful
8
Replies

Anyone using NMAP custom ports in profiling condition?

grant.maynard
Level 4
Level 4

In ISE 2.1 Patch 3 I've created an NMAP scan to include customer ports (tcp 8000, 4767 and 8194) and the NMAP Extensions dictionary is updated, but the attribute names do not appear in the profiling conditions pull-down, so i cannot create the condition.

Also, what would the value be?

For a scan on tcp 8194, the endpoint has an attribute "8194-tcp" with value "sophos", but i cannot enter "8194-tcp" as a profiling condition attribute.

I'm aware of CSCvb31331 but we do not see the same symptoms.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Make sure you are selecting NMAPExtension...

/Craig

View solution in original post

8 Replies 8

Craig Hyps
Level 10
Level 10

Make sure you are selecting NMAPExtension...

/Craig

Hi Craig. Yes, we are using NMAPExtension. I can see it's ok in your screenshot - what version is that?

I was trying 2.1 Patch 3.

I tried 2.1 Patch 2 on a lab setup and it worked.

I applied Patch 3 to this and it didn't work.

So I rolled back to Patch 2 and it worked again.

It must be a problem with Patch 3.

I tried it on my ISE 2.1 Patch 3 and it worked fine, with the steps described in the bug you cited. Mine is fresh install 2.1 and has Patch 3 only.

What is the history of your ISE in term of install, upgrade, and patching?

There are five nodes - 2 Admin/Mon and 3 PSN-only.

Originally, for all nodes, we installed 2.1, then patch 1, and patch 2.

Then, due to a disk space problem on M nodes, we rebuilt both Admin/Mon as 2.1 then went straight to patch 2.

Then all nodes had patch 3 applied.

We tried this today but there are a few oddities: we could not delete one profile condition based on a custom port, because it said it was referenced somewhere, but we could not find where.

We tried to delete the profile policy which had referenced this condition but got an error that a resource or child policy was using the associated identity group. Again, we could not find where.

We're going to reboot all nodes in a few days to see if this clears it.

if we removed Profiling Services from all PSN, would that cleanly remove the profiling config?

Removing profiling services would not help as PPAN has the master copy of the profiling policies and elements. If you really need them removed, then please engage Cisco TAC.

ISE 2.1 Patch 1 is what I used and it worked fine.  Try removing the conditions referencing custom ports and then remove the nmap scan template.  You should see changes to the Profile Dictionary as you make changes.  When re-add the custom ports, you should see dictionary attributes appear.  This should then make them visible to profiler conditions as well.

Craig

grant.maynard
Level 4
Level 4

In my testing it worked in Patch 2 but then didn't work when Patch 3 was applied, but I rolled back to 2 then re-applied 3 and it did work.

We raised a TAC case which lead to bug ID CSCve51076. Hopefully it will be fixed in ISE 2.1 patch 4.