Some Cisco devices use 6154 for ypxfrd. 6154 ypxfrd Portmap Request (Info, Atomic*) Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/... https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide... On May 5, 2018, at 6:22 AM, marcel.duregards--- via NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> wrote: As the zero touch feature is on TCP 4786 (SMI), I vote for either: - a nsa backdoor :-) - a default active service Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ? - Marcel On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net<mailto:frederic.jutzet@sig-telecom.net> wrote: Hi, We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces. Any idea what it could be ? #show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<< #show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0 sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0 SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0 Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE (The command "show control-plane host open-ports" is not available on this platform/code) I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication. Fred --- Bruce Curtis bruce.curtis@ndsu.edu<mailto:bruce.curtis@ndsu.edu> Certified NetAnalyst II 701-231-8527 North Dakota State University