Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5948
Views
16
Helpful
5
Replies

ISE 2.4 telnet not supported

Go to solution
nenadl
Level 1
Level 1

‎11-11-2019 03:03 PM

Hi all,

is there any reason why I don't see telnet as option on ISE 2.4? Do I need to enable somewhere as feature?

It's really annoying if you want to test some connections from ISE. I have ACS 5.8 and telnet is there.

 

ise02/admin# t?
tech terminal traceroute

 

Version:

 

Cisco Identity Services Engine
---------------------------------------------
Version : 2.4.0.357
Build Date : Thu Mar 22 20:01:26 2018
Install Date : Thu Dec 20 23:15:50 2018

Cisco Identity Services Engine Patch
---------------------------------------------
Version : 10
Install Date : Thu Nov 07 23:41:04 2019

 

Thanks,

N

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-11-2019 04:17 PM

Hi @nenadl 

 

I have bemoaned the removal of this useful command some time ago. As you say, it used to exist in ACS but I have not seen it since ISE 2.2. ACS also had a useful tcpdump command that you can add to your list of commands you'll miss in ISE, not to mention the primitive reporting capabilities in ISE (versus ACS's report generator). 

 

Telnet is not an evil command. It's a very useful command to test the presence of TCP ports in remote hosts. Running a telnet daemon, on the other hand, is not so clever these days. I think whoever removed the telnet command didn't fully grasp the difference.

 

You could ask to have it included again in a future ISE release.

View solution in original post

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to gulzar.khalid

‎06-04-2020 06:36 PM

Telnet was removed due to a PSIRT Vulnerability for command injection back in 2.1/early 2.2 (CSCve74916). Adding to the above, we can test the TCP port connectivity using SSH and based on the error we can interpret if TCP port connectivity is fine or not.

Below example shows good connectivity on the mentioned TCP port:
ISE/admin# ssh x.x.x.x admin port 443
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh_exchange_identification: Connection closed by remote host

This shows port is blocked somewhere in the path:
ISE/admin# ssh x.x.x.x admin port 12002
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh: connect to host x.x.x.x port 12002: Connection refused


View solution in original post

5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎11-11-2019 04:17 PM

Hi @nenadl 

 

I have bemoaned the removal of this useful command some time ago. As you say, it used to exist in ACS but I have not seen it since ISE 2.2. ACS also had a useful tcpdump command that you can add to your list of commands you'll miss in ISE, not to mention the primitive reporting capabilities in ISE (versus ACS's report generator). 

 

Telnet is not an evil command. It's a very useful command to test the presence of TCP ports in remote hosts. Running a telnet daemon, on the other hand, is not so clever these days. I think whoever removed the telnet command didn't fully grasp the difference.

 

You could ask to have it included again in a future ISE release.

Go to solution
nenadl
Level 1
Level 1
In response to Arne Bier

‎11-11-2019 04:55 PM

Hi @Arne Bier,

thanks for replying. Didn‘t know they removed telnet, for me unnecessary but this is how it is.

For TCP dump there is option from GIU where you can specify on which node (if you have deployment) and choose on which interface you want to run it. You  can also specify some filters what is interested for you and open file in Wireshark. I used it couple of times and works very well, helped me for troubleshooting.

 

Regards,

Nenad

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to nenadl

‎11-11-2019 08:25 PM

Sure, the tcpdump is available via the GUI and it's ok for doing one node at a time. If you have anything more complex and you're trying to capture on more than one node at a time then you can't do this in ISE. Hence, why ACS CLI tcpdump was so useful. Case in point, when using a load balancer and you want to capture traffic on x number of PSNs ... you have no idea where the load balancer will send the traffic.

0 Helpful

Go to solution
gulzar.khalid
Level 1
Level 1

‎06-04-2020 11:15 AM

not sure if someone has already replied,  we can generate traffic on any port by ssh command

 

ssh x.x.x.x <port number> 

 

I hope this helps 

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to gulzar.khalid

‎06-04-2020 06:36 PM

Telnet was removed due to a PSIRT Vulnerability for command injection back in 2.1/early 2.2 (CSCve74916). Adding to the above, we can test the TCP port connectivity using SSH and based on the error we can interpret if TCP port connectivity is fine or not.

Below example shows good connectivity on the mentioned TCP port:
ISE/admin# ssh x.x.x.x admin port 443
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh_exchange_identification: Connection closed by remote host

This shows port is blocked somewhere in the path:
ISE/admin# ssh x.x.x.x admin port 12002
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh: connect to host x.x.x.x port 12002: Connection refused


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents