Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1762
Views
10
Helpful
2
Replies

Nodo ISE

alejandro.aguilar
Level 1
Level 1

‎07-27-2020 05:41 PM

Cordial saludo, 

 

Se ha reportado desde la administración de firewall que hay solicitudes SSH de un nodo ISE a diferentes usuarios de la red (diferentes usurarios en diferentes subredes- este trafico por política es denegado), Hay alguna característica que pueda generar este comportamiento. 

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎07-27-2020 11:01 PM

Sorry I translated your question google. It could be that your ISE nodes are doing NMAP Scans on the clients for profiling? Check your PSN nodes to see if profiling is enabled and whether you have NMAP Scans configured. 

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-27-2020 11:07 PM - edited ‎07-27-2020 11:15 PM

ISE should not be initiating ssh requests as part of its normal operations.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_0110.html

If an administrator logs into the ISE cli they can initiate ssh manually from there.

ise-latest/admin# show ver

Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.7.071
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2019 by Cisco Systems, Inc.
All rights reserved.
Hostname: ise-latest


Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version      : 2.7.0.356
Build Date   : Thu Nov 14 10:21:59 2019
Install Date : Wed Jul 22 14:27:59 2020

Cisco Identity Services Engine Patch 
---------------------------------------------
Version      : 2
Install Date : Wed Jul 22 16:57:24 2020

ise-latest/admin# ssh ?
  <WORD>  IPv4/IPv6 address or hostname of a remote system (Max Size - 64)
  delete  Delete the ssh fingerprint for a specific host

ise-latest/admin# ssh

 EDIT: It could be part of an NMAP profiling scan as @Arne Bier mentioned. In that case, there would be multiple destination ports as the ISE node scans the host(s) or subnet(s). You can check if it's enabled by looking at the node under Administration > System> Deployment and then selecting and editing the node:

ISE NMAP setting.png

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card