VTY ACL log on Closed Private IP Network showing -> 31.169.###.0(22)

RSTP · ‎09-08-2021

Hello.

Any ideas anyone?

The VTY ACL is severly restrictive on this closed private ip network and set to log every connection.

The SSH session initiated from my machine to sw mgmt ip creats a successful connection. However, below sample log is seen:

Time Stamp: %SEC-6-IPACCESSLOGP: list VTY ACL permitted tcp "my machine ip(port#)" -> 31.169.###.0(22), 1 packet

Time Stamp: SSH-5-SSH2_SESSION: SSH2 Session request from "my machine ip" (tty = # ) using crypto.... Succeeded

31.169.###.0 is only seen on the sw model C9500-40X. Note that switch mgmt IP and my machine IP are all private subnets. 31.169.###.0 appears as first line when a new ssh session is started. Network has no connection to any other networks or internet.

I spend hours already researching anything related to Cisco, VTY, ACL, Log, and that 31. IP = nothing so far.

Appreciate any thoughts.

Thanks

balaji.bandi · ‎09-09-2021

This from your device trying to connect to remote IP, check is there any EEM Script running ?

you can make an ACL from your IP to destination IP deny for ath specific IP and observe the logs.

cisco smart license uses 443 port as i know, since this port 22, not sure, is there any contaners running inside Cat 9500 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

RSTP · ‎09-09-2021

Thank you, BB, for taking the time to write back and guidance.

Yep, no EEM. This C9500 is only acting as a L2 switch and only has the MGMT IP on it. All uncessary services diasbled.

I will continue to research/test containers/scenarios etc and open TAC case as needed.

Much appreciated.

balaji.bandi · ‎09-09-2021

Not sure is this helpful, worth looking :

https://scamalytics.com/ip/31.169.217.0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

RSTP · ‎09-09-2021

Thank you, BB.

Yes, I got to that also. That was when I decided to ask the community Extremely bizarre how this 31 IP is popping in the VTY logs of a C9500 L2 switch on a closed network and that too only when establishing the initial ssh connection!!! I continue to research/test.

RSTP · ‎09-09-2021

Fun stuff - another day that makes the life of Network people exciting.

After reload of the C9500 L2 switch, the "31" ip is gone and a "156.31.xxx.0" has taken its place in the VTY initial connection logs.

Marvin Rhoads · ‎09-10-2021

Sharing analytics data with Cisco perhaps (via the third part intermediary addresses)? Is it smart licensed?

RSTP · ‎09-10-2021

Thanks for writing back. It was when it was bought, but all call-home and similar services are disabled.

Nothing is connected to this switch at this time.

To me what this appears to be is the initial handshake when the ssh session is started to the switch mgmt ip. Usually, on other switches that initial handshake shows up as the quad-zero:

Time Stamp: %SEC-6-IPACCESSLOGP: list VTY ACL permitted tcp "my machine ip(port#)" -> 0.0.0.0(22), 1 packet