09-08-2021 03:06 PM - edited 09-13-2021 10:51 AM
Hello.
Any ideas anyone?
The VTY ACL is severly restrictive on this closed private ip network and set to log every connection.
The SSH session initiated from my machine to sw mgmt ip creats a successful connection. However, below sample log is seen:
Time Stamp: %SEC-6-IPACCESSLOGP: list VTY ACL permitted tcp "my machine ip(port#)" -> 31.169.###.0(22), 1 packet
Time Stamp: SSH-5-SSH2_SESSION: SSH2 Session request from "my machine ip" (tty = # ) using crypto.... Succeeded
31.169.###.0 is only seen on the sw model C9500-40X. Note that switch mgmt IP and my machine IP are all private subnets. 31.169.###.0 appears as first line when a new ssh session is started. Network has no connection to any other networks or internet.
I spend hours already researching anything related to Cisco, VTY, ACL, Log, and that 31. IP = nothing so far.
Appreciate any thoughts.
Thanks
09-09-2021 03:15 AM
This from your device trying to connect to remote IP, check is there any EEM Script running ?
you can make an ACL from your IP to destination IP deny for ath specific IP and observe the logs.
cisco smart license uses 443 port as i know, since this port 22, not sure, is there any contaners running inside Cat 9500 ?
09-09-2021 10:12 AM
Thank you, BB, for taking the time to write back and guidance.
Yep, no EEM. This C9500 is only acting as a L2 switch and only has the MGMT IP on it. All uncessary services diasbled.
I will continue to research/test containers/scenarios etc and open TAC case as needed.
Much appreciated.
09-09-2021 10:26 AM
09-09-2021 02:53 PM
Thank you, BB.
Yes, I got to that also. That was when I decided to ask the community
09-09-2021 03:58 PM
Fun stuff - another day that makes the life of Network people exciting.
After reload of the C9500 L2 switch, the "31" ip is gone and a "156.31.xxx.0" has taken its place in the VTY initial connection logs.
09-10-2021 01:37 AM
Sharing analytics data with Cisco perhaps (via the third part intermediary addresses)? Is it smart licensed?
09-10-2021 10:52 AM
Thanks for writing back. It was when it was bought, but all call-home and similar services are disabled.
Nothing is connected to this switch at this time.
To me what this appears to be is the initial handshake when the ssh session is started to the switch mgmt ip. Usually, on other switches that initial handshake shows up as the quad-zero:
Time Stamp: %SEC-6-IPACCESSLOGP: list VTY ACL permitted tcp "my machine ip(port#)" -> 0.0.0.0(22), 1 packet
09-10-2021 02:16 AM
i would visit the config or post the config here.
09-10-2021 10:54 AM
Config was revisited. Nothing in there unusual. Very basic. L2 switch config.
09-10-2021 12:21 PM
If basic config, can you post the config here,. show run all output
09-10-2021 02:11 PM
Best to work with TAC. Thanks for all your guidance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide