cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
3
Helpful
5
Replies

ISE How to check TCP/UDP port connectivity in absence of telnet

jitendrac
Level 1
Level 1

Hi Community,

Since ISE does not support telnet or nc command, is there any other alternative to check if ports are open from ISE to the target server? For example, if I want to check if TCP/445 is open from ISE towards the AD server.

I found someone suggesting the use of SSH command as follows. 

ISE/admin# ssh x.x.x.x admin port 445

However, I am not sure if this is the proper way to check the open port. What if I want to check the UDP port

1 Accepted Solution

Accepted Solutions

There is no network layer test to check for open UDP ports - you must test the UDP port with the application that requires it (e.g. DNS, NTP, RADIUS). But with TCP it's easy to test with the telnet command, as you mentioned. I also don't comprehend why anyone would remove the telnet command and not give us a decent replacement to test for TCP ports.  I have one little hack that works. I use the SSH command on the ISE CLI - e.g. to test whether you can get a TCP SYN/ACK from 10.10.10.10 on port 49

ssh 10.10.10.10 dummy port 49

In the working scenario, you get a prompt back from ISE

kex_exchange_identification: read: Connection reset by peer

In the case where there is no TCP SYN/ACK, you'll see a message 

ssh: connect to host 10.10.10.10 port 49: Connection timed out

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

ISE have nmap - can you use that to scan ?

nmap -sU -v x.x.x.x

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

What exactly are you trying to do?  Troubleshoot connectivity from ISE to AD?  I would open a TAC case, they can login with root and help to verify the connectivity from the bash CLI.

Marvin Rhoads
Hall of Fame
Hall of Fame

nmap is not available to ISE admins from the cli (without TAC enabling root shell).

You can do a tcpdump while exercising AD tests from the GUI. For example:

tech dumptcp interface GigabitEthernet0 console filter "ip host <your AD sever address>"

jitendrac
Level 1
Level 1

As an Implementation engineer, I wanted to verify whether the required TCP and UDP ports are open from the ISE server to the AD Server.

I just wanted to know the command in ISE to check TCP and UDP connectivity from the ISE server to the any other Server. Since telnet command is removed post 2.1 it is difficult to check basic TCP and UDP connectivity between ISE servers and any other target server.

There is no network layer test to check for open UDP ports - you must test the UDP port with the application that requires it (e.g. DNS, NTP, RADIUS). But with TCP it's easy to test with the telnet command, as you mentioned. I also don't comprehend why anyone would remove the telnet command and not give us a decent replacement to test for TCP ports.  I have one little hack that works. I use the SSH command on the ISE CLI - e.g. to test whether you can get a TCP SYN/ACK from 10.10.10.10 on port 49

ssh 10.10.10.10 dummy port 49

In the working scenario, you get a prompt back from ISE

kex_exchange_identification: read: Connection reset by peer

In the case where there is no TCP SYN/ACK, you'll see a message 

ssh: connect to host 10.10.10.10 port 49: Connection timed out