05-21-2018 08:25 AM
Hi,
Working with a customer ISE deployment (version 2.2 patch 7) and we are seeing traffic between the PAN and the SAN on port TCP/9399.
The closest thing I could find the documentation was TCP/9300 for Elastic Search, but that's a bit far off from what we are seeing.
If so, we need to include it in our documentation.
If not, then I guess this is a bug?
Also, in case anyone asks, I can confirm the source port for this traffic was an ephemeral one (i.e. different from one connection to another, with a random value and above 1024).
Solved! Go to Solution.
05-22-2018 02:38 AM
Ok, I was able to replicate this in the lab, by doing an Context Visibility reset between a PAN and a SAN (i.e. "application configure ise" -> option 19):
The below logs are from the SAN:
logs/ise-elasticsearch.log:[2018-05-22 07:32:44,987][INFO ][transport ] [testice02] publish_address {testice02.<<EDITED>>/172.20.10.21:9399}, bound_addresses {172.20.10.21:9399} logs/ise-elasticsearch.log:[2018-05-22 07:32:49,567][INFO ][cluster.service ] [testice02] new_master {testice02}{eWJ8Xpa1TQClTWZmqTfxIg}{172.20.10.21}{testice02.<<EDITED>>/172.20.10.21:9399}, reason: zen-disco-join(elected_as_master, [0] joins received) logs/ise-elasticsearch.log:[2018-05-22 07:33:46,552][WARN ][discovery.zen.ping.unicast] [testice02] [1] failed send ping to {#zen_unicast_1#}{172.20.10.20}{testice01.<<EDITED>>/172.20.10.20:9399}
In the meantime, I was also able to confirm with someone from the BU that this is a new port being used.
It just needs to be added to the documentation.
05-21-2018 10:11 AM
I am not aware any ISE services using it.
Please use ISE admin CLI "show tech" and look for "netstat -tunap...", which will give us an idea which program name is using it. Below is a sample output:
*****************************************
Running netstat -tunap...
*****************************************
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 28529/redis-server
tcp 0 0 127.0.0.1:31755 0.0.0.0:* LISTEN 28319/timestensubd
tcp 0 0 127.0.0.1:25550 0.0.0.0:* LISTEN 28324/ttcserver
05-21-2018 10:20 AM
Thanks for the response!
I will see if I can get that information, but it seems to have coincided with the moment we were re-building the Elastic Search DB (as per the notes for CSCvh48558, in a distributed deployment with PAN and SAN).
Regards,
George
05-22-2018 02:38 AM
Ok, I was able to replicate this in the lab, by doing an Context Visibility reset between a PAN and a SAN (i.e. "application configure ise" -> option 19):
The below logs are from the SAN:
logs/ise-elasticsearch.log:[2018-05-22 07:32:44,987][INFO ][transport ] [testice02] publish_address {testice02.<<EDITED>>/172.20.10.21:9399}, bound_addresses {172.20.10.21:9399} logs/ise-elasticsearch.log:[2018-05-22 07:32:49,567][INFO ][cluster.service ] [testice02] new_master {testice02}{eWJ8Xpa1TQClTWZmqTfxIg}{172.20.10.21}{testice02.<<EDITED>>/172.20.10.21:9399}, reason: zen-disco-join(elected_as_master, [0] joins received) logs/ise-elasticsearch.log:[2018-05-22 07:33:46,552][WARN ][discovery.zen.ping.unicast] [testice02] [1] failed send ping to {#zen_unicast_1#}{172.20.10.20}{testice01.<<EDITED>>/172.20.10.20:9399}
In the meantime, I was also able to confirm with someone from the BU that this is a new port being used.
It just needs to be added to the documentation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: