Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2093
Views
5
Helpful
4
Replies

Cisco ISE 3.0 patch-3 is making outbound https to unknown sites

Go to solution
david.tran
Level 4
Level 4

‎08-08-2021 02:06 PM

My Cisco ISE 3.0 patch 3 on SNS-3655 is making outbound https to the following sites:

 

173.37.145.8 --> tools2.cisco.com

34.216.127.109 --> ec2-34-216-127-109.us-west-2.compute.amazonaws.com.

35.83.205.101 --> ec2-35-83-205-101.us-west-2.compute.amazonaws.com.

54.148.222.24 --> ec2-54-148-222-24.us-west-2.compute.amazonaws.com.

72.163.4.38 --> tools1.cisco.com

 

According to Cisco, with Smart Licensing, it should only make https outbound connection to tools.cisco.com:

 

dig @8.8.8.8 tools.cisco.com +short
173.37.145.8

 

However, you can see it is making to so AWS hosts on a regular basis.

 

Any ideas?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-08-2021 02:37 PM

tools.cisco.com for only smart License, cisco also need some posture updates and Cisco host some service with Amazon Cloud too, Maybe i am guessing here to get updates? what port 443?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to david.tran

‎08-08-2021 03:16 PM

I may be missed your HTTPS information, I was only thought tools.cisco.com for HTTPS.

 

by investigating more: here is the IP related to Cisco.

 

https://ipduh.com/dns/?www.ciscoconnectdna.com

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-08-2021 02:37 PM

tools.cisco.com for only smart License, cisco also need some posture updates and Cisco host some service with Amazon Cloud too, Maybe i am guessing here to get updates? what port 443?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
david.tran
Level 4
Level 4
In response to balaji.bandi

‎08-08-2021 02:46 PM

I am not running posture.  I am using Smart Licensing.  I currently have a TAC case with Cisco but the TAC engineer doesn't know either.  He is investigating but he doesn't know why the box is reaching out to the AWS Internet.  To me, that's a security red flag.   

 

@balaji.bandi:  Yes, https (443) as posted in my original thread

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to david.tran

‎08-08-2021 03:15 PM

Are you using any of these features? Even if you're not using them there is a chance that a call out is still enabled like with automatic posture updates/downloads, and the profiler feed updates. I also see quite a few ISE deployments making calls for CRL, it's a pretty common investigation. 

 

  • Partner Mobile Management

  • Endpoint Profiler Feed Service Update

  • Endpoint Posture Update

  • Endpoint Posture Agent Resources Download

  • Certificate Revocation List (CRL) Download

  • Guest Notifications

  • SMS Message Transmission

  • Social Login

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to david.tran

‎08-08-2021 03:16 PM

I may be missed your HTTPS information, I was only thought tools.cisco.com for HTTPS.

 

by investigating more: here is the IP related to Cisco.

 

https://ipduh.com/dns/?www.ciscoconnectdna.com

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents