TCP port not passing

dimkat2903 · ‎11-02-2022

Greetings,

I am facing an issue. I have two windows servers where they can ping each other. Both of them are connected on the same switch (3850) and are assigned on the same VLAN. However, when I’m doing a test net connection from server 1 to server 2 on TCP port 135 then the TCP net connection fails. Firewall on both servers is disabled and the strange thing is that when I connect both servers back to back through Ethernet then the test net connection succeeds and TCP port 135 passes. Also, RPC service is enabled on both servers. I tried to configure an extended ACL to allow TCP from any to any and I applied it on the outbound direction to the interface that server 1 is connected so that to allow TCP 135 going to Server 2 but still same issue.

what could be the root cause please? Thank you

balaji.bandi · ‎11-02-2022

what is the version of code running Cat 3850, and can you post the config of the switch (show run)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dimkat2903 · ‎11-03-2022

The firmware version is 16.12.05b

balaji.bandi · ‎11-03-2022

show run ( will help to look what wrong)

if this layer 2 or Layer3, then run some debug ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dimkat2903 · ‎11-05-2022

here is the switch configuration. the switch is a L3. can you suggest me some good debug commands for troubleshooting? is it something related to the global ACLs? As i said, i tried to set an extended ACL to allow TCP port 135 from Server 1 to Server 2 and i applied the ACL on the outbound direction to the switch port where Server 1 is currently connected but still same issue. Any thoughts please? Need to provide a solution asap so your support is highly appreciated!

MHM Cisco World · ‎11-05-2022

I see ACL and permit many TCP port,
so first do traceroute from one server to other
and see hop it pass,
then check ACL under each hop (path between Server)
then do show ip access list, check hit count where it increase when you connect using TCP port.

dimkat2903 · ‎11-05-2022

Actually both servers are connected on the same switch so no hops are in between them.

Which ACL is affecting port 135 not to pass?

MHM Cisco World · ‎11-06-2022

ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
!
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
!
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
!
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
!
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data

these ACL apply where ? does it apply yo CoPP of SW or apply to VLAN ? which VLAN these ACL apply to is it same as Server or not ?

dimkat2903 · ‎11-06-2022

All above ACLs are some default ones and were not created by me and are not applied to any switch port. The switch ports both servers are connected to, don’t have any ACLs applied.

MHM Cisco World · ‎11-06-2022

do you config any CallManager, CallManager ca use TCP port 135
may this the issue because there is conflict between two service.
https://www.voipinfo.net/docs/cisco/43881-ccm-tcp-udp-ports.pdf

waiting your reply

balaji.bandi · ‎11-06-2022

You have provided the config, you are not given input where the Servers connected what port and what VLAN

1. on the Switch Server 1 connected to what port ?

2. on the Switch Server 2 connected to what port ?

3. what VLAN you think they are suppose to be ?

4. what is the Server 1 IP address

5. what is the Server 2 IP address?

6. can you post from Servers ipconfig /all

7. Can you confirm From Server 1 to Server 2 that you can ping? and vice versa?

8. post-show IP arp from switch

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎11-06-2022

Hello,

since both of your servers are in the same Vlan, no layer 3 ACLs would apply, in theory. Looking at your configuration, is there a specific reason why 'ip host-routing' is enabled ? I have never seen this on a straight layer 3 switch. Try to disable that, and simply enable 'ip routing' instead...