Solved: Traffic on port TCP/9399 between primary and secondary administrative nodes

giosif · ‎05-21-2018

Hi,

Working with a customer ISE deployment (version 2.2 patch 7) and we are seeing traffic between the PAN and the SAN on port TCP/9399.

Q1: Can someone please tell me what that port is used for?

The closest thing I could find the documentation was TCP/9300 for Elastic Search, but that's a bit far off from what we are seeing.

Q2: Is the use of this port intentional?

If so, we need to include it in our documentation.

If not, then I guess this is a bug?

Also, in case anyone asks, I can confirm the source port for this traffic was an ephemeral one (i.e. different from one connection to another, with a random value and above 1024).

giosif · ‎05-22-2018

Ok, I was able to replicate this in the lab, by doing an Context Visibility reset between a PAN and a SAN (i.e. "application configure ise" -> option 19):

The below logs are from the SAN:

logs/ise-elasticsearch.log:[2018-05-22 07:32:44,987][INFO ][transport ] [testice02] publish_address {testice02.<<EDITED>>/172.20.10.21:9399}, bound_addresses {172.20.10.21:9399} logs/ise-elasticsearch.log:[2018-05-22 07:32:49,567][INFO ][cluster.service ] [testice02] new_master {testice02}{eWJ8Xpa1TQClTWZmqTfxIg}{172.20.10.21}{testice02.<<EDITED>>/172.20.10.21:9399}, reason: zen-disco-join(elected_as_master, [0] joins received) logs/ise-elasticsearch.log:[2018-05-22 07:33:46,552][WARN ][discovery.zen.ping.unicast] [testice02] [1] failed send ping to {#zen_unicast_1#}{172.20.10.20}{testice01.<<EDITED>>/172.20.10.20:9399}

In the meantime, I was also able to confirm with someone from the BU that this is a new port being used.

It just needs to be added to the documentation.

View solution in original post

hslai · ‎05-21-2018

I am not aware any ISE services using it.

Please use ISE admin CLI "show tech" and look for "netstat -tunap...", which will give us an idea which program name is using it. Below is a sample output:

*****************************************

Running netstat -tunap...

*****************************************

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 28529/redis-server

tcp 0 0 127.0.0.1:31755 0.0.0.0:* LISTEN 28319/timestensubd

tcp 0 0 127.0.0.1:25550 0.0.0.0:* LISTEN 28324/ttcserver

giosif · ‎05-21-2018

Thanks for the response!

I will see if I can get that information, but it seems to have coincided with the moment we were re-building the Elastic Search DB (as per the notes for CSCvh48558, in a distributed deployment with PAN and SAN).

Regards,

George

giosif · ‎05-22-2018

Ok, I was able to replicate this in the lab, by doing an Context Visibility reset between a PAN and a SAN (i.e. "application configure ise" -> option 19):

The below logs are from the SAN:

logs/ise-elasticsearch.log:[2018-05-22 07:32:44,987][INFO ][transport ] [testice02] publish_address {testice02.<<EDITED>>/172.20.10.21:9399}, bound_addresses {172.20.10.21:9399} logs/ise-elasticsearch.log:[2018-05-22 07:32:49,567][INFO ][cluster.service ] [testice02] new_master {testice02}{eWJ8Xpa1TQClTWZmqTfxIg}{172.20.10.21}{testice02.<<EDITED>>/172.20.10.21:9399}, reason: zen-disco-join(elected_as_master, [0] joins received) logs/ise-elasticsearch.log:[2018-05-22 07:33:46,552][WARN ][discovery.zen.ping.unicast] [testice02] [1] failed send ping to {#zen_unicast_1#}{172.20.10.20}{testice01.<<EDITED>>/172.20.10.20:9399}

In the meantime, I was also able to confirm with someone from the BU that this is a new port being used.

It just needs to be added to the documentation.