Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Disturbing http connection from ISE to an unknown Internet address

I have an ISE version Patch-5 running in standalone mode.  No one has access to the ISE appliance except myself.  The ISE has an IP address of 1982.168.1.1

today, I noticed that the ISE is attempting to make an outbound http to an unknown Internet IP address of  Fortunately, my checkpoint firewall does not allow this connection:

Number:                          99427

Date:                           17Nov2013

Time:                              23:03:11

Interface:                        eth2

Origin:                         Corp_Firewall

Type:                              Log

Action:                         Drop

Service:                          http (80)

Source Port:                    58025

Source:                           Corp_Firewall- (

Destination:           (

Protocol:                         tcp

Rule:                           100

Rule UID:                        {1234abcd-1111-xxxx-vvvv-aaaaaaaaaa}

Rule Name:                    Corp_Firewall Log Drop rule

Current Rule Number:        100-Corp_Firewall

Product:                          Security Gateway/Management

Product Family:              Network

Policy Info:                     Policy Name: Corp_Firewall

                                Created at: Sat Nov 16 01:30:50 2013

                                Installed from: corp-mgmt-

The question is why the ISE is doing this?  What is the purpose for this http connection, some kind of "back door" by Cisco?

Charlie Moreton
Cisco Employee

Liferay is an open source web portal for hosting cloud applications.  This is definitely NOT a Cisco back-door to the ISE.

About Us

Enterprise. Open Source. For Life.


Liferay, Inc. was founded in 2004 in response to growing demand for  Liferay Portal, the market's leading independent portal product that was  garnering industry acclaim and adoption across the world. Today,  Liferay, Inc. houses a professional services group that provides  training, consulting and enterprise support services to our clientele in  the Americas, EMEA, and Asia Pacific. It also houses a core development  team that steers product development.

Open Source.

Liferay Portal was, in fact, created in 2000 and boasts a rich open  source heritage that offers organizations a level of innovation and  flexibility unrivaled in the industry. Thanks to a decade of ongoing  collaboration with its active and mature open source community,  Liferay's product development is the result of direct input from users  with representation from all industries and organizational roles. It is  for this reason, that organizations turn to Liferay technology for  exceptional user experience, UI, and both technological and business  flexibility.

For Life.

Liferay, Inc. was founded for a purpose greater than revenue and profit  growth. Each quarter we donate to a number of worthy causes decided  upon by our own employees. In the past we have made financial  contributions toward AIDS relief and the Sudan refugee crisis through  well-respected organizations such as Samaritan's Purse and World Vision.  This desire to impact the world community is the heart of our company,  and ultimately the reason why we exist.

You may want to investigate the applications being used on site.

Hopefully this helps. 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

ISE is an appliance so what can I investigate?  I am at the mercy of Cisco.  why is the ISE appliance communicating with, for what purpose?

I only use the box for wired dot1x authentication and nothing else.


Please keep us informed on here.   I am not seeing this particular behavior, but I am curious as the the extent and origin of it, and I shall keep close watch on this topic.

Thank You.

Sam Hertica
Cisco Employee

Please open a TAC case for investigation.

some additional disturbing info:

for the past two months, the ISE has attempted to repeatedly making http outbound connection to which I tracked down to be that does some kind of memory management for big data platform.

There's an internal bug for Terracotta, which attempts to get updates for itself, which is unnecessary, so it was resolved in ISE 1.2. I haven't found anything on Liferay, but doing my own testing on the side.

I still strongly recommend you create a case for this as there's no documented use for for Liferay on ISE.

there is a typo on my part.

the ACS server appliance version 5.2 attempts http outbound to which is blocked by the firewall.  Why is it doing that?

ACS is expected and documented in CSCtw59701 which is fixed in 5.4. If I had to guess (and this is entirely a guess) ISE uses the same plugins from Liferay ACS did, and is trying to check for updates.

As of now I can't find any internal or external documenation or bug describing the call to Liferay with ISE, which should be customer-facing since it is clearly an anomaly that needs to be addressed.

You mentioned you made a typo. Was the typo mistaking ISE for ACS? Or something else?


ISE does not go to  Only ACS does go to

ISE does go toTerracotta.  ISE does not go to

How do I know that this is NOT NSA snooping around or some built-in backdoor by Cisco ?


ACS  and Liferay - CSCtw59701 - Fixed in 5.4

ISE and Terracotta -  CSCub24101 and CSCuh61180

These are currently internal bugs, but i'm marking them external and they should be visible within a day. Essentially we use some terracotta components that were reaching out to their site looking for updates. They're not malicious/harmful in any way, shape, or form, but you are correct in that ISE shouldn't be doing this. It is fixed in ISE 1.2.

Content for Community-Ad