Catalyst 4500 listening on TCP 6154 on all interfaces
Hi, We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces. Any idea what it could be ? #show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<< #show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0 sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0 SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0 Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE (The command "show control-plane host open-ports" is not available on this platform/code) I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication. Fred
As the zero touch feature is on TCP 4786 (SMI), I vote for either: - a nsa backdoor :-) - a default active service Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ? - Marcel On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
- a nsa backdoor :-)
it would be a very bad backdoor as it's really easy to see the port listening...
- a default active service
Maybe, but a service which is not officially registered: https://www.iana.org/assignments/service-names-port-numbers/service-names-po... in contrary to the SMI (zero touch feature on tcp 4786) which is registered since almost 10y: https://www.iana.org/assignments/service-names-port-numbers/service-names-po... Could it be possible that this kind of tcp port is not registered by Iana because it meant to be used for internal communication only (internal to the device), or should you register any port usage (even 'private') ? And yes I've tried to reset to default the config, shutdown all interface, remove all L3 ip/feature (no ip blabla), and I still see by default 2 TCP ports on listening state: Cat4500-SUP7L-E#sh ip prot *** IP Routing is NSF aware *** Cat4500-SUP7L-E# Cat4500-SUP7L-E#sh run | in ip address-family ipv4 address-family ipv6 no ip routing ip vrf Liin-vrf no ip mfib no ip bootp server no ip dhcp-client broadcast-flag no ip igmp snooping no ipv6 traffic interface-statistics no ip address no ip route-cache no ip address no ip route-cache no ip forward-protocol nd no ip http server no ip http secure-server Cat4500-SUP7L-E# Cat4500-SUP7L-E# Cat4500-SUP7L-E#show tcp br all TCB Local Address Foreign Address (state) 5B40BB30 0.0.0.0.4786 *.* LISTEN 5CD5D2D8 0.0.0.0.6154 *.* LISTEN Cat4500-SUP7L-E# I will now try to negate all potential active service from the 'show run all' config but it's not optimal as for example 'vstack' (port 4786) does not appear in the default config so it would not be disable by this trivial method. Fred On 05.05.2018 13:22, marcel.duregards@yahoo.fr wrote:
As the zero touch feature is on TCP 4786 (SMI), I vote for either:
- a nsa backdoor :-) - a default active service
Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ?
- Marcel
On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
Just a wild thought – why not open a TAC case with Cisco and ask them? On Mon, May 7, 2018 at 3:06 AM, frederic.jutzet@sig-telecom.net < frederic.jutzet@sig-telecom.net> wrote:
- a nsa backdoor :-)
it would be a very bad backdoor as it's really easy to see the port listening...
- a default active service
Maybe, but a service which is not officially registered: https://www.iana.org/assignments/service-names-port-numbers/service-names- port-numbers.xhtml?search=6154
in contrary to the SMI (zero touch feature on tcp 4786) which is registered since almost 10y: https://www.iana.org/assignments/service-names-port-numbers/service-names- port-numbers.xhtml?search=4786
Could it be possible that this kind of tcp port is not registered by Iana because it meant to be used for internal communication only (internal to the device), or should you register any port usage (even 'private') ?
And yes I've tried to reset to default the config, shutdown all interface, remove all L3 ip/feature (no ip blabla), and I still see by default 2 TCP ports on listening state:
Cat4500-SUP7L-E#sh ip prot *** IP Routing is NSF aware ***
Cat4500-SUP7L-E# Cat4500-SUP7L-E#sh run | in ip address-family ipv4 address-family ipv6 no ip routing ip vrf Liin-vrf no ip mfib no ip bootp server no ip dhcp-client broadcast-flag no ip igmp snooping no ipv6 traffic interface-statistics no ip address no ip route-cache no ip address no ip route-cache no ip forward-protocol nd no ip http server no ip http secure-server Cat4500-SUP7L-E# Cat4500-SUP7L-E# Cat4500-SUP7L-E#show tcp br all TCB Local Address Foreign Address (state) 5B40BB30 0.0.0.0.4786 *.* LISTEN 5CD5D2D8 0.0.0.0.6154 *.* LISTEN Cat4500-SUP7L-E#
I will now try to negate all potential active service from the 'show run all' config but it's not optimal as for example 'vstack' (port 4786) does not appear in the default config so it would not be disable by this trivial method.
Fred
On 05.05.2018 13:22, marcel.duregards@yahoo.fr wrote:
As the zero touch feature is on TCP 4786 (SMI), I vote for either:
- a nsa backdoor :-) - a default active service
Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ?
- Marcel
On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
I've been told that the TAC center will not take the time to answer as it's not a 'real' problem, service affecting issue. And the Cisco community forum on that topic was useless (nobody answer to a person which already open a topic about this issue 10 months ago). But you are the 4rd person to tell me to open a TAC, I could have tried first. In the meantime Cisco contact me off-list, so I will try with them. On 07.05.2018 16:59, Jay Farrell via NANOG wrote:
Just a wild thought – why not open a TAC case with Cisco and ask them?
On Mon, May 7, 2018 at 3:06 AM, frederic.jutzet@sig-telecom.net < frederic.jutzet@sig-telecom.net> wrote:
- a nsa backdoor :-) it would be a very bad backdoor as it's really easy to see the port listening...
- a default active service Maybe, but a service which is not officially registered: https://www.iana.org/assignments/service-names-port-numbers/service-names- port-numbers.xhtml?search=6154
in contrary to the SMI (zero touch feature on tcp 4786) which is registered since almost 10y: https://www.iana.org/assignments/service-names-port-numbers/service-names- port-numbers.xhtml?search=4786
Could it be possible that this kind of tcp port is not registered by Iana because it meant to be used for internal communication only (internal to the device), or should you register any port usage (even 'private') ?
And yes I've tried to reset to default the config, shutdown all interface, remove all L3 ip/feature (no ip blabla), and I still see by default 2 TCP ports on listening state:
Cat4500-SUP7L-E#sh ip prot *** IP Routing is NSF aware ***
Cat4500-SUP7L-E# Cat4500-SUP7L-E#sh run | in ip address-family ipv4 address-family ipv6 no ip routing ip vrf Liin-vrf no ip mfib no ip bootp server no ip dhcp-client broadcast-flag no ip igmp snooping no ipv6 traffic interface-statistics no ip address no ip route-cache no ip address no ip route-cache no ip forward-protocol nd no ip http server no ip http secure-server Cat4500-SUP7L-E# Cat4500-SUP7L-E# Cat4500-SUP7L-E#show tcp br all TCB Local Address Foreign Address (state) 5B40BB30 0.0.0.0.4786 *.* LISTEN 5CD5D2D8 0.0.0.0.6154 *.* LISTEN Cat4500-SUP7L-E#
I will now try to negate all potential active service from the 'show run all' config but it's not optimal as for example 'vstack' (port 4786) does not appear in the default config so it would not be disable by this trivial method.
Fred
On 05.05.2018 13:22, marcel.duregards@yahoo.fr wrote:
As the zero touch feature is on TCP 4786 (SMI), I vote for either:
- a nsa backdoor :-) - a default active service
Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ?
- Marcel
On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
This has not been my experience. TAC specifically has an option when opening a case to "Ask a question". It's purpose is for non-outage queries such as these. I've asked them things such as "How many ARP entries does an ASA 5585X support?" Sometimes I find conflicting information so I need to ask TAC or I'm just too busy to find the answer. I've learned not to be hesitant to engage them, we pay for the support after all. Yes, sometimes you will get an engineer who is not helpful. Let them close the case and open another case or insist that the case be moved to another engineer. -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of frederic.jutzet@sig-telecom.net Sent: Monday, May 7, 2018 10:45 AM To: Jay Farrell <jayfar@jayfar.com>; nanog@nanog.org Subject: Re: Catalyst 4500 listening on TCP 6154 on all interfaces I've been told that the TAC center will not take the time to answer as it's not a 'real' problem, service affecting issue. And the Cisco community forum on that topic was useless (nobody answer to a person which already open a topic about this issue 10 months ago). But you are the 4rd person to tell me to open a TAC, I could have tried first. In the meantime Cisco contact me off-list, so I will try with them. On 07.05.2018 16:59, Jay Farrell via NANOG wrote:
Just a wild thought – why not open a TAC case with Cisco and ask them?
On Mon, May 7, 2018 at 3:06 AM, frederic.jutzet@sig-telecom.net < frederic.jutzet@sig-telecom.net> wrote:
- a nsa backdoor :-) it would be a very bad backdoor as it's really easy to see the port listening...
- a default active service Maybe, but a service which is not officially registered: https://www.iana.org/assignments/service-names-port-numbers/service-n ames- port-numbers.xhtml?search=6154
in contrary to the SMI (zero touch feature on tcp 4786) which is registered since almost 10y: https://www.iana.org/assignments/service-names-port-numbers/service-n ames- port-numbers.xhtml?search=4786
Could it be possible that this kind of tcp port is not registered by Iana because it meant to be used for internal communication only (internal to the device), or should you register any port usage (even 'private') ?
And yes I've tried to reset to default the config, shutdown all interface, remove all L3 ip/feature (no ip blabla), and I still see by default 2 TCP ports on listening state:
Cat4500-SUP7L-E#sh ip prot *** IP Routing is NSF aware ***
Cat4500-SUP7L-E# Cat4500-SUP7L-E#sh run | in ip address-family ipv4 address-family ipv6 no ip routing ip vrf Liin-vrf no ip mfib no ip bootp server no ip dhcp-client broadcast-flag no ip igmp snooping no ipv6 traffic interface-statistics no ip address no ip route-cache no ip address no ip route-cache no ip forward-protocol nd no ip http server no ip http secure-server Cat4500-SUP7L-E# Cat4500-SUP7L-E# Cat4500-SUP7L-E#show tcp br all TCB Local Address Foreign Address (state) 5B40BB30 0.0.0.0.4786 *.* LISTEN 5CD5D2D8 0.0.0.0.6154 *.* LISTEN Cat4500-SUP7L-E#
I will now try to negate all potential active service from the 'show run all' config but it's not optimal as for example 'vstack' (port 4786) does not appear in the default config so it would not be disable by this trivial method.
Fred
On 05.05.2018 13:22, marcel.duregards@yahoo.fr wrote:
As the zero touch feature is on TCP 4786 (SMI), I vote for either:
- a nsa backdoor :-) - a default active service
Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ?
- Marcel
On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
Cisco contact me off-line and ask me to share my datas. They will open a bug id and investigate. Nothing to say, very pro active. The bug id is CSCvj35885 Cisco also confirmed that this tcp port is for internal communication (internal to the device) only and should not be exposed. Next time I will follow your recommendation about opening a tac case for information request, and not bother the community. Thank to all for your tips and ideas. Best regards, Fred On 07.05.2018 21:22, Spaans, Joel H wrote:
This has not been my experience. TAC specifically has an option when opening a case to "Ask a question". It's purpose is for non-outage queries such as these. I've asked them things such as "How many ARP entries does an ASA 5585X support?" Sometimes I find conflicting information so I need to ask TAC or I'm just too busy to find the answer.
I've learned not to be hesitant to engage them, we pay for the support after all.
Yes, sometimes you will get an engineer who is not helpful. Let them close the case and open another case or insist that the case be moved to another engineer.
-----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of frederic.jutzet@sig-telecom.net Sent: Monday, May 7, 2018 10:45 AM To: Jay Farrell <jayfar@jayfar.com>; nanog@nanog.org Subject: Re: Catalyst 4500 listening on TCP 6154 on all interfaces
I've been told that the TAC center will not take the time to answer as it's not a 'real' problem, service affecting issue. And the Cisco community forum on that topic was useless (nobody answer to a person which already open a topic about this issue 10 months ago). But you are the 4rd person to tell me to open a TAC, I could have tried first. In the meantime Cisco contact me off-list, so I will try with them.
On 07.05.2018 16:59, Jay Farrell via NANOG wrote:
Just a wild thought – why not open a TAC case with Cisco and ask them?
On Mon, May 7, 2018 at 3:06 AM, frederic.jutzet@sig-telecom.net < frederic.jutzet@sig-telecom.net> wrote:
- a nsa backdoor :-) it would be a very bad backdoor as it's really easy to see the port listening...
- a default active service Maybe, but a service which is not officially registered: https://www.iana.org/assignments/service-names-port-numbers/service-n ames- port-numbers.xhtml?search=6154
in contrary to the SMI (zero touch feature on tcp 4786) which is registered since almost 10y: https://www.iana.org/assignments/service-names-port-numbers/service-n ames- port-numbers.xhtml?search=4786
Could it be possible that this kind of tcp port is not registered by Iana because it meant to be used for internal communication only (internal to the device), or should you register any port usage (even 'private') ?
And yes I've tried to reset to default the config, shutdown all interface, remove all L3 ip/feature (no ip blabla), and I still see by default 2 TCP ports on listening state:
Cat4500-SUP7L-E#sh ip prot *** IP Routing is NSF aware ***
Cat4500-SUP7L-E# Cat4500-SUP7L-E#sh run | in ip address-family ipv4 address-family ipv6 no ip routing ip vrf Liin-vrf no ip mfib no ip bootp server no ip dhcp-client broadcast-flag no ip igmp snooping no ipv6 traffic interface-statistics no ip address no ip route-cache no ip address no ip route-cache no ip forward-protocol nd no ip http server no ip http secure-server Cat4500-SUP7L-E# Cat4500-SUP7L-E# Cat4500-SUP7L-E#show tcp br all TCB Local Address Foreign Address (state) 5B40BB30 0.0.0.0.4786 *.* LISTEN 5CD5D2D8 0.0.0.0.6154 *.* LISTEN Cat4500-SUP7L-E#
I will now try to negate all potential active service from the 'show run all' config but it's not optimal as for example 'vstack' (port 4786) does not appear in the default config so it would not be disable by this trivial method.
Fred
On 05.05.2018 13:22, marcel.duregards@yahoo.fr wrote:
As the zero touch feature is on TCP 4786 (SMI), I vote for either:
- a nsa backdoor :-) - a default active service
Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ?
- Marcel
On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
Some Cisco devices use 6154 for ypxfrd. 6154 ypxfrd Portmap Request (Info, Atomic*) Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/... https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide... On May 5, 2018, at 6:22 AM, marcel.duregards--- via NANOG <nanog@nanog.org<mailto:nanog@nanog.org>> wrote: As the zero touch feature is on TCP 4786 (SMI), I vote for either: - a nsa backdoor :-) - a default active service Have you tried to zeroize the config and restart then check if TCP 6154 is still on LISTEN state ? - Marcel On 03.05.2018 06:51, frederic.jutzet@sig-telecom.net<mailto:frederic.jutzet@sig-telecom.net> wrote: Hi, We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces. Any idea what it could be ? #show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<< #show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0 iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0 sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0 SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0 Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0 Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE (The command "show control-plane host open-ports" is not available on this platform/code) I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication. Fred --- Bruce Curtis bruce.curtis@ndsu.edu<mailto:bruce.curtis@ndsu.edu> Certified NetAnalyst II 701-231-8527 North Dakota State University
* bruce.curtis@ndsu.edu (Curtis, Bruce) [Mon 07 May 2018, 18:25 CEST]:
Some Cisco devices use 6154 for ypxfrd.
No, they don't.
6154 ypxfrd Portmap Request (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/...
That's a list of supported IDS signatures, not a list of protocols running on a Cisco device.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide...
Same. Did you just do a Google search for "site:cisco.com 6141" and paste the results in an email? What made you think the original poster hadn't done their homework? -- Niels. --
reading this - just wondering....do you use the SmartCall home service? I wonder if that's what is using this. try this: no service smart-call-home and see if that disables it... just a thought On Thu, May 3, 2018 at 12:51 AM, frederic.jutzet@sig-telecom.net < frederic.jutzet@sig-telecom.net> wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
-- To him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy
NANOG mailing list subscribers: Hi there. My name is Dario Ciccarone and I work as an Incident Manager on the Cisco PSIRT. The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents. The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Cisco products and networks. Cisco defines a security vulnerability as an unintended weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product. Frederic's email caught our attention, and we would like to provide some additional context and answers to the behavior by him observed. The issue observed by Frederic (port 6154/tcp showing up in LISTEN state on some IOS XE releases) is documented on Cisco bug ID CSCut14378, with the title "Port 6154/tcp (XTF Agent) shown in LISTEN state on some Cisco IOS XE releases". The details of this bug can be found on our Bug Search Tool at the following URL: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut14378 While access to the Bug Search Tool is generally offered as part of a support contract and requires of an account on cisco.com, Cisco users *without a support contract* can register for a Guest account by filling the form at the following URL: https://idreg.cloudapps.cisco.com/idreg/register.do This guest account will provide limited privileges on cisco.com - but enough to be able to access the Bug Search Tool and read the complete Release Note Enclosure for the bug in question. For those NANOG members that would prefer not to register for a Guest account with Cisco - I will be providing the full Release Note Enclosure text at the end of this email. I would also like to use this opportunity to invite the NANOG subscribers to reach out to the Cisco PSIRT whenever you observe a behavior on a Cisco device that may create a concern in regards to the device's general security posture. The Cisco PSIRT can be reached by email at psirt@cisco.com - additional information on how to reach us can be found at the following URL: https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-p... Thanks, Dario Dario Ciccarone <dciccaro@cisco.com> Incident Manager - CCIE #10395 Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. PGP Key ID: 0xBA1AE0F0 http://www.cisco.com/go/psirt CSCut14378, - "Port 6154/tcp (XTF Agent) shown in LISTEN state on some Cisco IOS XE releases" *Symptom:* The output of the "show tcp brief all" command or the "show ip ports all" command on a Cisco device running a subset of Cisco IOS XE releases may show port 6154/tcp in LISTEN state. Example output from "show tcp brief all" exhibiting this behavior: IOS-XE#show tcp brief all TCB Local Address Foreign Address (state) 386F0098 10.122.163.49.23 10.118.116.244.59674 ESTAB 3D639184 10.122.163.49.23 10.118.116.244.59671 TIMEWAIT 38720150 0.0.0.0.4786 *.* LISTEN 3D4B6A78 0.0.0.0.6154 *.* LISTEN 3A7CC28C ::.443 *.* LISTEN 391EDBF4 0.0.0.0.443 *.* LISTEN 3C8C480C ::.80 *.* LISTEN 39B48F38 0.0.0.0.80 *.* LISTEN 9626:37 192.168.1.1.9010 0.0.0.0.* LISTEN IOS-XE# Example output from "show ip ports all" exhibiting this behavior: (truncated) IOS-XE#show ip ports all tcp *:6154 *:* LISTEN 309/[IOS]XTF Agent IOS-XE# *Conditions:* No special conditions. *Workaround:* There are no workarounds needed. *Further Problem Description:* The Cisco XTF (Cross-OS Test Framework) is a Cisco internal tool to perform product testing during development. Due to an issue with a build tool, a limited number of Cisco IOS XE releases were shipped with an embedded Cisco XTF Agent. The Cisco XTF Agent accepts connections from the XTF manager on port 6154/TCP. It is important to note that even if the "Local Address" and "Foreign Address" are shown as wildcards on the output of the "show tcp brief all" command or the "show ip ports all" command (which would imply the XTF Agent listens on all interfaces, and would accept connections from any remote source IP address), the XTF Agent is started up with a set of socket options that only allows it to accept connections sourced from the Cisco IOS XE Internal VRF. The Cisco IOS XE Internal VRF is used for internal inter-process communications and is not accessible from outside the box nor from any other VRF on the box. Attempts to connect to port 6154/TCP coming from any other VRF on the box (no VRF, default VRF, Management VRF or any user-defined VRFs) will be answered with a TCP RST, tearing down the connection. There is no way to establish a TCP connection to the XTF Agent from outside the internal VRF. The following is a complete list of all Cisco IOS XE releases that shipped with an embedded XTF Agent and will show port 6154/TCP as being on LISTEN state when executing a "show tcp brief all" command : * 3.2.0SE, 3.2.1SE, 3.2.2SE, 3.2.3SE * 3.3.0SE, 3.3.1SE, 3.3.2SE, 3.3.3SE, 3.3.4SE, 3.3.5SE * 3.5.0E, 3.5.1E, 3.5.2E, 3.5.3E * 3.6.0E, 3.6.0aE, 3.6.0bE, 3.6.1E, 3.6.2E, 3.6.2aE, 3.6.3E, 3.6.4E, 3.6.5E, 3.6.5aE, 3.6.6E, 3.6.7E, 3.6.7aE, 3.6.7bE, 3.6.8E, 3.6.9E * 3.7.0E, 3.7.1E *PSIRT Evaluation:* The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.h... PSIRT-0353552144 On 5/3/18 12:51 AM, frederic.jutzet@sig-telecom.net wrote:
Hi,
We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2 which have TCP port 6154 listening on all interfaces.
Any idea what it could be ?
#show tcp brief all TCB Local Address Foreign Address (state) ... 5A529430 0.0.0.0.6154 <<<<<<<<<<<<<<<<
#show tcp tcb 5A529430 Connection state is LISTEN, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255 Local host: 0.0.0.0, Local port: 6154 Foreign host: UNKNOWN, Foreign port: 0 Connection tableid (VRF): 1 Maximum output segment queue size: 50
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0xF58354): Timer Starts Wakeups Next Retrans 0 0 0x0 TimeWait 0 0 0x0 AckHold 0 0 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger 0 0 0x0 DeadWait 0 0 0x0 Linger 0 0 0x0 ProcessQ 0 0 0x0
iss: 0 snduna: 0 sndnxt: 0 irs: 0 rcvnxt: 0
sndwnd: 0 scale: 0 maxrcvwnd: 4128 rcvwnd: 4128 scale: 0 delrcvwnd: 0
SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms Status Flags: gen tcbs Option Flags: VRF id set, keepalive running, nagle, Reuse local address Retrans timeout IP Precedence value : 0
Datagrams (max data segment is 516 bytes): Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0 Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 0, total data bytes: 0
Packets received in fast path: 0, fast processed: 0, slow path: 0 fast lock acquisition failures: 0, slow path: 0 TCP Semaphore 0x5BEB9B10 FREE
(The command "show control-plane host open-ports" is not available on this platform/code)
I also think that if it would be a local socket for internal process communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154. So this is listening on all interfaces, virtuals and physicals and seam not to be for internal internal process communication.
Fred
hi, thank-you Dario for your input and response from Cisco PSIRT - very useful and welcome. alan
participants (9)
-
Alan Buxey -
Curtis, Bruce -
Dario Ciccarone -
frederic.jutzet@sig-telecom.net -
Jay Farrell -
marcel.duregards@yahoo.fr -
Niels Bakker -
Spaans, Joel H -
Stephen Fischer