[c-nsp] cisco-nsp Digest, Vol 186, Issue 9

Andrei Sabau andrei.sabau at itps.ro
Mon May 7 10:50:09 EDT 2018 

After some random googling, 6514 is referenced as "secure syslog"

https://tools.ietf.org/html/rfc5425 

Seems to be related to ISE and ASA though. 

Andrei Sabau
Consultant IT


Mobile: +40 751-012.470
Fix: 0256-277-500
Andrei.sabau at itps.ro 
http://www.itps.ro

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of cisco-nsp-request at puck.nether.net
Sent: Monday, May 7, 2018 5:21 PM
To: cisco-nsp at puck.nether.net
Subject: cisco-nsp Digest, Vol 186, Issue 9

Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of cisco-nsp digest..."


Today's Topics:

   1. Re: Catalyst 4500 listening on TCP 6154 on all interfaces
      (frederic.jutzet at sig-telecom.net)
   2. Re: Catalyst 4500 listening on TCP 6154 on all interfaces
      (Roland Dobbins)
   3. Re: Catalyst 4500 listening on TCP 6154 on all interfaces
      (James Bensley)
   4. Re: Catalyst 4500 listening on TCP 6154 on all interfaces
      (Roland Dobbins)


----------------------------------------------------------------------

Message: 1
Date: Mon, 07 May 2018 13:23:06 +0200
From: "frederic.jutzet at sig-telecom.net"
	<frederic.jutzet at sig-telecom.net>
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Catalyst 4500 listening on TCP 6154 on all
	interfaces
Message-ID: <5AF0371A.7020702 at sig-telecom.net>
Content-Type: text/plain; charset=ISO-8859-1

I've tried to reset to default the config, shutdown all interface, remove all L3 ip/feature (no ip blabla), and I still see by default 2 TCP ports on listening state:

Cat4500-SUP7L-E#sh ip prot
*** IP Routing is NSF aware ***

Cat4500-SUP7L-E#
Cat4500-SUP7L-E#sh run | in ip
 address-family ipv4
 address-family ipv6
no ip routing
ip vrf Liin-vrf
no ip mfib
no ip bootp server
no ip dhcp-client broadcast-flag
no ip igmp snooping
no ipv6 traffic interface-statistics
 no ip address
 no ip route-cache
 no ip address
 no ip route-cache
no ip forward-protocol nd
no ip http server
no ip http secure-server
Cat4500-SUP7L-E#
Cat4500-SUP7L-E#
Cat4500-SUP7L-E#show tcp br all
TCB       Local Address               Foreign Address             (state)
5B40BB30  0.0.0.0.4786               *.*                         LISTEN
5CD5D2D8  0.0.0.0.6154               *.*                         LISTEN
Cat4500-SUP7L-E#



I will now try to negate all potential active service from the 'show run all' config but it's not optimal as for example 'vstack' (port 4786) does not appear in the default config so it would not be disable by this trivial method.



One things which is not clear, could it be possible that this kind of tcp port is not registered by Iana from Cisco because it meant to be used for internal communication only (internal to the device), or should you register any port usage (even
'private') ?

TCP 6154 not officially registered:
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=6154

in contrary to the SMI (zero touch feature on tcp 4786) which is registered since almost 10y:
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=4786



Fred





On 03.05.2018 06:52, frederic.jutzet at sig-telecom.net wrote:
> Hi,
>
> We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 
> which have TCP port 6154 listening on all interfaces.
>
> Any idea what it could be ?
>
> #show tcp brief all
> TCB       Local Address               Foreign Address             (state)
> ...
> 5A529430  0.0.0.0.6154        <<<<<<<<<<<<<<<<
>
>
> #show tcp tcb 5A529430
> Connection state is LISTEN, I/O status: 1, unread input bytes: 0           
> Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 
> Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign 
> port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 
> 50
>
> Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)
>
> Event Timers (current time is 0xF58354):
> Timer          Starts    Wakeups            Next
> Retrans             0          0             0x0
> TimeWait            0          0             0x0
> AckHold             0          0             0x0
> SendWnd             0          0             0x0
> KeepAlive           0          0             0x0
> GiveUp              0          0             0x0
> PmtuAger            0          0             0x0
> DeadWait            0          0             0x0
> Linger              0          0             0x0
> ProcessQ            0          0             0x0
>
> iss:          0  snduna:          0  sndnxt:          0
> irs:          0  rcvnxt:          0
>
> sndwnd:      0  scale:      0  maxrcvwnd:   4128
> rcvwnd:   4128  scale:      0  delrcvwnd:      0
>
> SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms
> minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms
> uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status 
> Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, 
> Reuse local address
>   Retrans timeout
> IP Precedence value : 0
>
> Datagrams (max data segment is 516 bytes):
> Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0
> Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second
> Congestion: 0), with data: 0, total data bytes: 0
>
>  Packets received in fast path: 0, fast processed: 0, slow path: 0  
> fast lock acquisition failures: 0, slow path: 0
> TCP Semaphore      0x5BEB9B10  FREE
>
>
>
>
>
> (The command "show control-plane host open-ports" is not available on 
> this platform/code)
>
>
>
> I also think that if it would be a local socket for internal process 
> communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154.
> So this is listening on all interfaces, virtuals and physicals and 
> seam not to be for internal internal process communication.
>
>
> Fred
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



------------------------------

Message: 2
Date: Mon, 07 May 2018 18:31:28 +0700
From: "Roland Dobbins" <rdobbins at arbor.net>
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Catalyst 4500 listening on TCP 6154 on all
	interfaces
Message-ID: <0958110F-83F4-4956-8D8C-278F39F9B6BC at arbor.net>
Content-Type: text/plain

On 7 May 2018, at 18:23, frederic.jutzet at sig-telecom.net wrote:

> I've tried to reset to default the config, shutdown all interface, 
> remove all L3 ip/feature (no ip blabla), and I still see by default 2 
> TCP ports on listening state:

Just put an iACL on it and call it a day.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


------------------------------

Message: 3
Date: Mon, 7 May 2018 14:04:20 +0100
From: James Bensley <jwbensley at gmail.com>
To: Roland Dobbins <rdobbins at arbor.net>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] Catalyst 4500 listening on TCP 6154 on all
	interfaces
Message-ID:
	<CAAWx_pVYfiBTHt73UWFodY8nLw+_wN0zpXwfafxRrWzGT3qW+w at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

On Monday, 7 May 2018, Roland Dobbins <rdobbins at arbor.net> wrote:

> On 7 May 2018, at 18:23, frederic.jutzet at sig-telecom.net wrote:
>
> > I've tried to reset to default the config, shutdown all interface, 
> > remove all L3 ip/feature (no ip blabla), and I still see by default 
> > 2 TCP ports on listening state:
>
> Just put an iACL on it and call it a day.
>

I'm curious to know what it is. Have you opene s a TAC case?

Cheers,
James.


------------------------------

Message: 4
Date: Mon, 07 May 2018 21:20:26 +0700
From: "Roland Dobbins" <rdobbins at arbor.net>
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Catalyst 4500 listening on TCP 6154 on all
	interfaces
Message-ID: <208CFB70-7305-407E-BD02-EBC993A8FA7D at arbor.net>
Content-Type: text/plain; format=flowed


On 7 May 2018, at 20:04, James Bensley wrote:

> Have you opene s a TAC case?

Yes - that's how I'd go about it.  If I couldn't take the gear in question out of service, I'd iACL it in the meantime (should be done, anyways).

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


------------------------------

Subject: Digest Footer

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp


------------------------------

End of cisco-nsp Digest, Vol 186, Issue 9
*****************************************

More information about the cisco-nsp mailing list