Catalyst 4500 listening on TCP 6154 on all interfaces

Jay Farrell jayfar at jayfar.com
Mon May 7 14:59:08 UTC 2018 

Just a wild thought – why not open a TAC case with Cisco and ask them?

On Mon, May 7, 2018 at 3:06 AM, frederic.jutzet at sig-telecom.net <
frederic.jutzet at sig-telecom.net> wrote:

> > - a nsa backdoor :-)
>
> it would be a very bad backdoor as it's really easy to see the port
> listening...
>
>
> > - a default active service
>
> Maybe, but a service which is not officially registered:
> https://www.iana.org/assignments/service-names-port-numbers/service-names-
> port-numbers.xhtml?search=6154
>
> in contrary to the SMI (zero touch feature on tcp 4786) which is
> registered since almost 10y:
> https://www.iana.org/assignments/service-names-port-numbers/service-names-
> port-numbers.xhtml?search=4786
>
>
>
> Could it be possible that this kind of tcp port is not registered by
> Iana because it meant to be used for internal communication only
> (internal to the device), or should you register any port usage (even
> 'private') ?
>
>
> And yes I've tried to reset to default the config, shutdown all
> interface, remove all L3 ip/feature (no ip blabla), and I still see by
> default 2 TCP ports on listening state:
>
> Cat4500-SUP7L-E#sh ip prot
> *** IP Routing is NSF aware ***
>
> Cat4500-SUP7L-E#
> Cat4500-SUP7L-E#sh run | in ip
>  address-family ipv4
>  address-family ipv6
> no ip routing
> ip vrf Liin-vrf
> no ip mfib
> no ip bootp server
> no ip dhcp-client broadcast-flag
> no ip igmp snooping
> no ipv6 traffic interface-statistics
>  no ip address
>  no ip route-cache
>  no ip address
>  no ip route-cache
> no ip forward-protocol nd
> no ip http server
> no ip http secure-server
> Cat4500-SUP7L-E#
> Cat4500-SUP7L-E#
> Cat4500-SUP7L-E#show tcp br all
> TCB       Local Address               Foreign Address             (state)
> 5B40BB30  0.0.0.0.4786               *.*                         LISTEN
> 5CD5D2D8  0.0.0.0.6154               *.*                         LISTEN
> Cat4500-SUP7L-E#
>
>
>
> I will now try to negate all potential active service from the 'show run
> all' config but it's not optimal as for example 'vstack' (port 4786)
> does not appear in the default config so it would not be disable by this
> trivial method.
>
>
> Fred
>
>
> On 05.05.2018 13:22, marcel.duregards at yahoo.fr wrote:
> > As the zero touch feature is on TCP 4786 (SMI), I vote for either:
> >
> > - a nsa backdoor :-)
> > - a default active service
> >
> > Have you tried to zeroize the config and restart then check if TCP 6154
> > is still on LISTEN state ?
> >
> >
> > -
> > Marcel
> >
> >
> >
> > On 03.05.2018 06:51, frederic.jutzet at sig-telecom.net wrote:
> >> Hi,
> >>
> >> We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2
> >> which have TCP port 6154 listening on all interfaces.
> >>
> >> Any idea what it could be ?
> >>
> >> #show tcp brief all
> >> TCB       Local Address               Foreign Address
>  (state)
> >> ...
> >> 5A529430  0.0.0.0.6154        <<<<<<<<<<<<<<<<
> >>
> >>
> >> #show tcp tcb 5A529430
> >> Connection state is LISTEN, I/O status: 1, unread input bytes: 0
>
> >> Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
> >> Local host: 0.0.0.0, Local port: 6154
> >> Foreign host: UNKNOWN, Foreign port: 0
> >> Connection tableid (VRF): 1
> >> Maximum output segment queue size: 50
> >>
> >> Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)
> >>
> >> Event Timers (current time is 0xF58354):
> >> Timer          Starts    Wakeups            Next
> >> Retrans             0          0             0x0
> >> TimeWait            0          0             0x0
> >> AckHold             0          0             0x0
> >> SendWnd             0          0             0x0
> >> KeepAlive           0          0             0x0
> >> GiveUp              0          0             0x0
> >> PmtuAger            0          0             0x0
> >> DeadWait            0          0             0x0
> >> Linger              0          0             0x0
> >> ProcessQ            0          0             0x0
> >>
> >> iss:          0  snduna:          0  sndnxt:          0
> >> irs:          0  rcvnxt:          0
> >>
> >> sndwnd:      0  scale:      0  maxrcvwnd:   4128
> >> rcvwnd:   4128  scale:      0  delrcvwnd:      0
> >>
> >> SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms
> >> minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms
> >> uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms
> >> Status Flags: gen tcbs
> >> Option Flags: VRF id set, keepalive running, nagle, Reuse local address
> >>   Retrans timeout
> >> IP Precedence value : 0
> >>
> >> Datagrams (max data segment is 516 bytes):
> >> Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0
> >> Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second
> >> Congestion: 0), with data: 0, total data bytes: 0
> >>
> >>  Packets received in fast path: 0, fast processed: 0, slow path: 0
> >>  fast lock acquisition failures: 0, slow path: 0
> >> TCP Semaphore      0x5BEB9B10  FREE
> >>
> >>
> >>
> >>
> >>
> >> (The command "show control-plane host open-ports" is not available on
> >> this platform/code)
> >>
> >>
> >>
> >> I also think that if it would be a local socket for internal process
> >> communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154.
> >> So this is listening on all interfaces, virtuals and physicals and seam
> >> not to be for internal internal process communication.
> >>
> >>
> >> Fred
> >>
>

More information about the NANOG mailing list