Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
0
Helpful
6
Replies

Cisco ISE 3.0 trying to connect to http://moleman.w3.org

adamscottmaster2013
Level 3
Level 3

‎04-19-2022 08:31 AM

For one day last week, my Cisco ISE Primary Admin/MNT attempted to communicate with http://moleman.w3.org and it was blocked by our Internet firewalls, as it should be.  However, this triggered security alarms in our environment.

 

The Cisco ISE 3.0 infrastructure has been up and running for over year now and this is the first time it attempted to communicate with this unknown website.  Because I am using Smart Licensing features, the ISE node is only allowed to communicate with https://tools.cisco.com, https://tools1.cisco.com, https://tools2.cisco.com and https://tools3.cisco.com and nothing else.

 

Is this a bug or just bad coding?  Thoughts?

 

 

0 Helpful
6 Replies 6

thomas
Cisco Employee
Cisco Employee

‎04-20-2022 07:21 AM

There should be no ISE software doing that.

Look in your ISE logs fot that day to see which process tried to connect to that site.

The fact that it happened only for one day reinforces that it probably wasn't ISE doing it systemically but perhaps someone configuring or testing something on ISE.  The only places I can think of where ISE fetches a URL is profiling or posture updates if someone was testing those.

Are you the only ISE admin? If not, talk to your team mates and be sure they weren't playing with those features.

0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to thomas

‎04-20-2022 07:57 AM

1- I don't use profiling or posture features in ISE.  I disable those features last year when ISE was put into production,

2- I am the only ISE admin to this device.

0 Helpful

marce1000
VIP
VIP
In response to adamscottmaster2013

‎04-20-2022 09:05 AM

 

 - Some advanced tricks as mentioned in this link (an example only) : https://serverfault.com/questions/666482/how-to-find-out-pid-of-the-process-sending-packets-generating-network-traffic , could reveal the process which is using the particular dns resolution or query , the only problem being that ISE shields basic linux administrative access. If security requirements are high , one could restore a previous application  backup (e.g.) or re-image, the latter being a measure of last resort.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

hslai
Cisco Employee
Cisco Employee

‎04-20-2022 08:19 PM

I believe adamscottmaster2013 already working with TAC.

www.w3.org also resolved to the same IP address. FYI.

0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to hslai

‎04-21-2022 05:55 AM

@hslai:  Cisco had the same issue with ISE 1.1 back in 2013.   Since you are working for Cisco, you can easily find that ticket.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎04-25-2022 06:57 AM

adamscottmaster2013 Please provide the defect ID if you have it and let the assigned TAC known the earlier ticket. This is the first I heard of this issue.

0 Helpful
Customers Also Viewed These Support Documents