Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4840
Views
24
Helpful
11
Replies

Cisco ISE 3.1 - Nodes trying to communicate on 169.254.169.254

Go to solution
milos_p
Level 1
Level 1

‎06-24-2022 12:33 AM

Hi,

 

I have two nodes Cisco ISE 3.1 patch3 deployment.

 

I am seeing lot of communication from both ISE nodes towards IP 169.254.169.254, that is eventually getting blocked on the firewall interface.

 

I cannot find any information related to this IP and Cisco ISE.

Is this some kind of normal inter-nodes communication?

 

Regards,

Milos

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎04-01-2023 11:04 PM

There is a defect already filed for this issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc45154

Check the Known Limitations for Using Cisco ISE on AWS section of Cisco ISE Installation Guide 3.1.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/m_ISEaaS.html#known-limitations-for-using-cisco-ise-on-aws

"In Cisco ISE Release 3.1 Patch 3, Cisco ISE sends traffic to AWS Cloud through IP address 169.254.169.254 to obtain the instance details. This is to check if it is a cloud instance and can be ignored in on-prem deployments"

HTH

View solution in original post

11 Replies 11

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-24-2022 04:13 AM

 169.254.169.254  - This is Link Local Address - not that aware ISE use until is there any bugs around 3.1 version

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
milos_p
Level 1
Level 1
In response to balaji.bandi

‎06-24-2022 04:48 AM

Hi,

 

It's quite often, every few minutes there is communication from both ISE nodes towards 169.254.169.254.

0 Helpful

Go to solution
milos_p
Level 1
Level 1
In response to ahollifield

‎06-24-2022 06:45 AM

Hi,

 

I see, most probably you are right and it's related to docker IPs.

 

Let's see if someone else has some other explanation :-).

 

Regards,

Milos

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to milos_p

‎06-28-2022 12:31 PM

As Adam mentioned and linked to in Greg's post, 169.254.x.x are addresses used by the docker containers internal to the ISE node. You'll see many in use if you run a "tech netstat" on the CLI for many of the functions we know and love, COA, RADIUS, Portals etc. 

What's odd to me is that you're saying you are seeing this traffic at a firewall, the internal docker traffic should stay that way. 

So what might be happening is ISE is resolving something via DNS to the 169.254.169.254 address, then sending requests. I did a google of "169.254.169.254" because it's an odd APIPA address, I found that AWS, Azure, GCP, and others use this specific IP for certain metadata lookups. Where are your nodes hosted? 

Go to solution
milos_p
Level 1
Level 1
In response to Damien Miller

‎06-29-2022 12:50 AM

Hi Damien,

 

Thanks a lot for your reply!

 

Yes, I am seeing this traffic on the firewall interface, which serves as a default gateway for ISE.

 

My nodes are deployed locally on in our infra on vmware.

 

I checked tech netstat and I can see 169.254.2.1 and 169.254.4.1, no sign of 169.254.169.254 or any other APIPA address.

 

Just to point again, traffic log is showing that source is real IP addresses of ISE servers (not APIPA) and destination is 169.254.169.254 on TCP port 80.

 

You know what, now that I noticed that communication is HTTP (TCP/80), and sourced from ISE servers, this could be CRL check from some certificate.

Go to solution
cisco.smj
Level 1
Level 1

‎03-23-2023 08:08 AM

I was modifying an ACL and started seeing blocks to this address from my ISE admin node.  Since this is HTTP traffic I decided to spin up a little web server to see the payload.  I have attached a snippet from Wireshark.  ISE seems to be looking for the instance identity information. 

Preview file
17 KB
0 Helpful

Go to solution
Vittoriusly
Level 1
Level 1

‎03-23-2023 08:37 AM

169.254.169.254 is the IP address associated with AWS/Azure Instance metadata services when you install a VM on those environments.

0 Helpful

Go to solution
RedOne
Level 1
Level 1

‎03-31-2023 01:03 PM

Hello, I see the same IP (169.254.169.254) blocked in our FWs.

From ISE nodes http to 169.254.169.254

 ISE 3.1 patch 5

did you have your answer?

0 Helpful

Go to solution
cisco.smj
Level 1
Level 1

‎03-31-2023 01:20 PM

It has to do with the instance identity information used for cloud deployments.

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎04-01-2023 11:04 PM

There is a defect already filed for this issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc45154

Check the Known Limitations for Using Cisco ISE on AWS section of Cisco ISE Installation Guide 3.1.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/m_ISEaaS.html#known-limitations-for-using-cisco-ise-on-aws

"In Cisco ISE Release 3.1 Patch 3, Cisco ISE sends traffic to AWS Cloud through IP address 169.254.169.254 to obtain the instance details. This is to check if it is a cloud instance and can be ignored in on-prem deployments"

HTH

Customers Also Viewed These Support Documents