Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
3
Helpful
5
Replies

ISE How to check TCP/UDP port connectivity in absence of telnet

Go to solution
jitendrac
Level 1
Level 1

‎05-21-2024 11:10 PM

Hi Community,

Since ISE does not support telnet or nc command, is there any other alternative to check if ports are open from ISE to the target server? For example, if I want to check if TCP/445 is open from ISE towards the AD server.

I found someone suggesting the use of SSH command as follows. 

ISE/admin# ssh x.x.x.x admin port 445

However, I am not sure if this is the proper way to check the open port. What if I want to check the UDP port

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to jitendrac

‎05-22-2024 05:42 PM

There is no network layer test to check for open UDP ports - you must test the UDP port with the application that requires it (e.g. DNS, NTP, RADIUS). But with TCP it's easy to test with the telnet command, as you mentioned. I also don't comprehend why anyone would remove the telnet command and not give us a decent replacement to test for TCP ports.  I have one little hack that works. I use the SSH command on the ISE CLI - e.g. to test whether you can get a TCP SYN/ACK from 10.10.10.10 on port 49

ssh 10.10.10.10 dummy port 49

In the working scenario, you get a prompt back from ISE

kex_exchange_identification: read: Connection reset by peer

In the case where there is no TCP SYN/ACK, you'll see a message 

ssh: connect to host 10.10.10.10 port 49: Connection timed out

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-21-2024 11:47 PM

ISE have nmap - can you use that to scan ?

nmap -sU -v x.x.x.x

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
ahollifield
VIP
VIP

‎05-22-2024 05:47 AM

What exactly are you trying to do?  Troubleshoot connectivity from ISE to AD?  I would open a TAC case, they can login with root and help to verify the connectivity from the bash CLI.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-22-2024 08:51 AM

nmap is not available to ISE admins from the cli (without TAC enabling root shell).

You can do a tcpdump while exercising AD tests from the GUI. For example:

tech dumptcp interface GigabitEthernet0 console filter "ip host <your AD sever address>"

Go to solution
jitendrac
Level 1
Level 1

‎05-22-2024 10:22 AM

As an Implementation engineer, I wanted to verify whether the required TCP and UDP ports are open from the ISE server to the AD Server.

I just wanted to know the command in ISE to check TCP and UDP connectivity from the ISE server to the any other Server. Since telnet command is removed post 2.1 it is difficult to check basic TCP and UDP connectivity between ISE servers and any other target server.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jitendrac

‎05-22-2024 05:42 PM

There is no network layer test to check for open UDP ports - you must test the UDP port with the application that requires it (e.g. DNS, NTP, RADIUS). But with TCP it's easy to test with the telnet command, as you mentioned. I also don't comprehend why anyone would remove the telnet command and not give us a decent replacement to test for TCP ports.  I have one little hack that works. I use the SSH command on the ISE CLI - e.g. to test whether you can get a TCP SYN/ACK from 10.10.10.10 on port 49

ssh 10.10.10.10 dummy port 49

In the working scenario, you get a prompt back from ISE

kex_exchange_identification: read: Connection reset by peer

In the case where there is no TCP SYN/ACK, you'll see a message 

ssh: connect to host 10.10.10.10 port 49: Connection timed out
0 Helpful
Customers Also Viewed These Support Documents