show control-plane host open-ports command

Unanswered Question
Sep 14th, 2009
User Badges:
  • Silver, 250 points or more

According to the output:


c2800#show control-plane host open-ports

Active internet connections (servers and established)

Prot Local Address Foreign Address Service State

tcp *:23 *:0 Telnet LISTEN

tcp *:23 192.168.1.205:5385 Telnet ESTABLIS

udp *:61165 *:0 IP SNMP LISTEN

udp *:60892 10.94.0.20:514 Syslog ESTABLIS

udp *:49 10.94.0.5:0 TACACS service LISTEN

udp *:52645 192.168.1.238:514 Syslog ESTABLIS

udp *:123 *:0 NTP LISTEN

udp *:61793 *:0 IP SNMPV6 LISTEN

udp *:161 *:0 IP SNMP LISTEN

udp *:161 *:0 IP SNMP LISTEN

udp *:162 *:0 IP SNMP LISTEN

udp *:162 *:0 IP SNMP LISTEN

udp *:1967 *:0 RTR control LISTEN

udp *:1985 *:0 cisco HSRP LISTEN

udp 224.0.1.40:496 *:0 PIM RP LISTEN


c2800#


It listed TACACS+ as udp instead of tcp? Anyone knows why?


This is the AAA configuration in the router:


aaa authentication login login-check group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

ip tacacs source-interface Loopback0

tacacs-server host 10.94.0.5 key 7 11F00157E757E65


IOS version is 12.4(15)T9


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Mon, 09/14/2009 - 07:48
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The TACACS+ server listens on TCP and the router will initiate the connection as a client to the server using a random high port.


I'm unsure why the client is listening on UDP 49 as it can't act as TACACS+ server and I can't find any documentation on this matter.

Laurent Aubert Tue, 09/15/2009 - 18:42
User Badges:
  • Cisco Employee,

Hi,


(very) Old version of TACACS used UDP instead of TCP so seems the code is still here.


I assume both source and destination port are set to 49 like for other UDP application.


HTH


Laurent.

cisco24x7 Wed, 09/16/2009 - 09:02
User Badges:
  • Silver, 250 points or more

Not sure I agree with your logic. See below:


udp *:49 10.94.0.5:0 TACACS service LISTEN


Basically, what it is telling me here is that the router is listening on udp port 49. Why? The router should NOT be running AAA server, the router is a client.



Laurent Aubert Wed, 09/16/2009 - 11:28
User Badges:
  • Cisco Employee,

As I said, the router is using also 49 as its source port. That's why it 's listening to it.


It doesn't mean it's acting as a server.


You will have the same behavior with RIP and LDP for example where source and destination UDP ports are equal:


AS1-P2#sh ip socket

Proto Remote Port Local Port In Out Stat TTY OutputIF

17 --listen-- 10.10.1.2 67 0 0 1 0

17 --listen-- 10.10.1.2 496 0 0 1 0

17 --listen-- 10.10.1.2 1698 0 0 1 0

17 --listen-- 10.10.1.2 711 0 0 1 0

17 --listen-- 10.10.1.2 646 0 0 1 0

17 --listen-- 10.10.1.2 3503 0 0 1 0

17 10.1.1.1 49 10.10.1.2 49 0 0 11 0

17 --listen-- 10.10.1.2 520 0 0 1 0


I think it's been a while now TACACS+ implementation rely on TCP only.


HTH


Laurent.

cisco24x7 Wed, 09/16/2009 - 12:36
User Badges:
  • Silver, 250 points or more

Again, I am not sure I understand what you're trying to convey that the router is also using port 49 as its source port.

For what?


This is what I am seeing on the ACS server with ethereal when the router communicates with the ACS Server:


No. Time Source Destination Protocol Info Packet length

1 0.000000 172.20.20.20 192.168.15.8 TCP 40214 > tacacs [SYN] Seq=1693988692 Win=4128 Len=0 MSS=536 60


Frame 1 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: Cisco_7b:80:01 (00:05:00:7b:80:01), Dst: DellComp_39:c0:79 (00:06:5b:39:c0:79)

Internet Protocol, Src: 172.20.20.20 (172.20.20.20), Dst: 192.168.15.8 (192.168.15.8)

Transmission Control Protocol, Src Port: 40214 (40214), Dst Port: tacacs (49), Seq: 1693988692, Len: 0


No. Time Source Destination Protocol Info Packet length

2 0.000063 192.168.15.8 172.20.20.20 TCP tacacs > 40214 [SYN, ACK] Seq=574810695 Ack=1693988693 Win=16384 Len=0 MSS=1460 58


Frame 2 (58 bytes on wire, 58 bytes captured)

Ethernet II, Src: DellComp_39:c0:79 (00:06:5b:39:c0:79), Dst: Cisco_7b:80:01 (00:05:00:7b:80:01)

Internet Protocol, Src: 192.168.15.8 (192.168.15.8), Dst: 172.20.20.20 (172.20.20.20)

Transmission Control Protocol, Src Port: tacacs (49), Dst Port: 40214 (40214), Seq: 574810695, Ack: 1693988693, Len: 0


No. Time Source Destination Protocol Info Packet length

3 0.001747 172.20.20.20 192.168.15.8 TCP 40214 > tacacs [ACK] Seq=1693988693 Ack=574810696 Win=4128 Len=0 60



As you can see, the router uses tcp high-ports to communicate with the ACS server tcp port 49.


What is the meaning of UDP port 49 on the router?

Edison Ortiz Wed, 09/16/2009 - 12:48
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

As I said, the router is using also 49 as its source port. That's why it 's listening to it.


Based on my findings, it isn't.


It uses a high random port for ACS communication to the server.



Still investigating as to why it has UDP 49 in listening mode...


Laurent Aubert Wed, 09/16/2009 - 13:25
User Badges:
  • Cisco Employee,

OK so here is my understanding:


1- First TACACS+ implementation back in stone ages was based on UDP and then move to TCP. Both use same port number.


Your capture is based on TCP transaction not UDP so it's not relevant.


2 I assume for UDP support, IOS used 49 as source port otherwise I can't explain why the router should listen to this port. It doesn't surprise me as other UDP based protocols have the same behavior.


3. I agree this part of code should be removed if there is no more UDP based TACACS server in the field.


From RFC 1492:


2.0 UDP Encoding: TACACS


This section describes the UDP encoding of the requests that have

just been described. It also describes the responses. This UDP

encoding forms the basis of the historical TACACS protocol.


HTH


Laurent.

Edison Ortiz Wed, 09/16/2009 - 14:01
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

1- First TACACS+ implementation back in stone ages was based on UDP and then move to TCP. Both use same port number.


Agreed. That was on the server side xtacacs. The client shouldn't be listening to anything unless it's acting like a server which we all know it can't.


Your capture is based on TCP transaction not UDP so it's not relevant.


You can find the same behavior with the same show control-plane command. The client-server connection is made strictly on TCP when ACS services are needed. UDP 49 is never used. I don't understand how the capture is irrelevant.


2 I assume for UDP support, IOS used 49 as source port otherwise I can't explain why the router should listen to this port. It doesn't surprise me as other UDP based protocols have the same behavior.


That's the reason for the initial question. Understanding why the UDP 49 is opened. Your other examples on RIP and LDP are apples and oranges as RIP and LDP aren't client-to-server protocols. LDP may qualify as client to server but as we know the server can be the client and the client can be the server - not the same structure with TACACS+ as the router can't never be the server.






Laurent Aubert Wed, 09/16/2009 - 17:48
User Badges:
  • Cisco Employee,

Hi,


We are not talking about TACACS+ here which rely only on TCP but about XTACACS. That's why I said the traces were not relevant. They didn't prove what UDP source port is used by the router when configured for XTACACS.


I made some research and found some traces about XTACACS packets:


*Jun 24 10:53:25.881: IP: s=10.48.77.151 (local), d=10.48.75.136 (FastEthernet0), len 66,

sending

*Jun 24 10:53:25.881: UDP src=49, dst=49

*Jun 24 10:53:25.881: IP: s=10.48.77.151 (local), d=10.48.75.136 (FastEthernet0), len 66,

sending full packet

*Jun 24 10:53:25.881: UDP src=49, dst=49

*Jun 24 10:53:25.881: TAC: Send query type LOGIN (1) to 10.48.75.136, Id 8757, ver 0x80,

port 2

*Jun 24 10:53:25.905: IP: s=10.48.75.136 (FastEthernet0), d=10.48.77.151, len 56, rcvd 2

*Jun 24 10:53:25.905

medoc#: UDP src=49, dst=49


So because the router uses 49 as its source port, it must be listening to it as well even if it acts as a client from the application perspective.


From the router point of view, XTACACS is a feature like LDP or RIP without being aware of "client/server" application model.


But I think it's an error to have this port opened when TACACS+ is configured (aaa new-model) because it will never used it.


Edison, I can give you the SR number if you want.


Laurent.

cisco24x7 Thu, 09/17/2009 - 02:25
User Badges:
  • Silver, 250 points or more

Laurent,


Assuming that it is true, how come I am NOT seeing this in IOS version prior to 12.4T when I have "aaa new-model" enable. See below:


C7140>sh ip sockets

Proto Remote Port Local Port In Out Stat TTY OutputIF

17 --listen-- 1.2.3.4 1985 0 0 1 0

17 --listen-- 224.0.1.40 496 0 0 61 0

17 10.109.114.10 514 10.10.89.240 58983 0 0 20 0

17 10.109.114.60 514 10.10.89.240 51599 0 0 20 0

17 192.168.15.8 49 10.10.89.240 49 0 0 21 0

17 10.109.114.60 162 192.168.15.1 55473 0 0 0 0

17 192.168.0.254 162 192.168.15.1 50336 0 0 0 0

17 192.168.3.10 67 192.168.15.1 67 0 0 2211 0

17 --listen-- 1.2.3.4 123 0 0 1 0

17 192.168.0.254 1031 10.10.89.240 161 0 0 1 0

17 --listen-- 1.2.3.4 162 0 0 11 0

17 --listen-- 1.2.3.4 55137 0 0 1 0

C7140>



Laurent Aubert Thu, 09/17/2009 - 04:30
User Badges:
  • Cisco Employee,

I don't know how this part of code evolved during time and between different branches of code.


I tested with 12.2(33)SRD and 12.0S and I can see the router listening to UDP port 49 as soon as I have a tacacs server configured (even without aaa new-model).


Laurent.

Edison Ortiz Thu, 09/17/2009 - 04:14
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

But I think it's an error to have this port opened when TACACS+ is configured (aaa new-model) because it will never used it.


That's exactly what we are talking about.

cisco24x7 Thu, 09/17/2009 - 06:06
User Badges:
  • Silver, 250 points or more

So what is the answer?

Edison Ortiz Thu, 09/17/2009 - 06:10
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can't find anything, sorry. My suggestion is to open a case with TAC so they can raise a bug if the Business Unit identifies it as such..


__


Edison.

Actions

This Discussion