09-14-2009 05:36 AM - edited 03-04-2019 06:02 AM
According to the output:
c2800#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:23 192.168.1.205:5385 Telnet ESTABLIS
udp *:61165 *:0 IP SNMP LISTEN
udp *:60892 10.94.0.20:514 Syslog ESTABLIS
udp *:49 10.94.0.5:0 TACACS service LISTEN
udp *:52645 192.168.1.238:514 Syslog ESTABLIS
udp *:123 *:0 NTP LISTEN
udp *:61793 *:0 IP SNMPV6 LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:1967 *:0 RTR control LISTEN
udp *:1985 *:0 cisco HSRP LISTEN
udp 224.0.1.40:496 *:0 PIM RP LISTEN
c2800#
It listed TACACS+ as udp instead of tcp? Anyone knows why?
This is the AAA configuration in the router:
aaa authentication login login-check group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.94.0.5 key 7 11F00157E757E65
IOS version is 12.4(15)T9
Thanks.
09-14-2009 07:48 AM
The TACACS+ server listens on TCP and the router will initiate the connection as a client to the server using a random high port.
I'm unsure why the client is listening on UDP 49 as it can't act as TACACS+ server and I can't find any documentation on this matter.
09-15-2009 06:42 PM
Hi,
(very) Old version of TACACS used UDP instead of TCP so seems the code is still here.
I assume both source and destination port are set to 49 like for other UDP application.
HTH
Laurent.
09-16-2009 09:02 AM
Not sure I agree with your logic. See below:
udp *:49 10.94.0.5:0 TACACS service LISTEN
Basically, what it is telling me here is that the router is listening on udp port 49. Why? The router should NOT be running AAA server, the router is a client.
09-16-2009 11:28 AM
As I said, the router is using also 49 as its source port. That's why it 's listening to it.
It doesn't mean it's acting as a server.
You will have the same behavior with RIP and LDP for example where source and destination UDP ports are equal:
AS1-P2#sh ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 10.10.1.2 67 0 0 1 0
17 --listen-- 10.10.1.2 496 0 0 1 0
17 --listen-- 10.10.1.2 1698 0 0 1 0
17 --listen-- 10.10.1.2 711 0 0 1 0
17 --listen-- 10.10.1.2 646 0 0 1 0
17 --listen-- 10.10.1.2 3503 0 0 1 0
17 10.1.1.1 49 10.10.1.2 49 0 0 11 0
17 --listen-- 10.10.1.2 520 0 0 1 0
I think it's been a while now TACACS+ implementation rely on TCP only.
HTH
Laurent.
09-16-2009 12:36 PM
Again, I am not sure I understand what you're trying to convey that the router is also using port 49 as its source port.
For what?
This is what I am seeing on the ACS server with ethereal when the router communicates with the ACS Server:
No. Time Source Destination Protocol Info Packet length
1 0.000000 172.20.20.20 192.168.15.8 TCP 40214 > tacacs [SYN] Seq=1693988692 Win=4128 Len=0 MSS=536 60
Frame 1 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Cisco_7b:80:01 (00:05:00:7b:80:01), Dst: DellComp_39:c0:79 (00:06:5b:39:c0:79)
Internet Protocol, Src: 172.20.20.20 (172.20.20.20), Dst: 192.168.15.8 (192.168.15.8)
Transmission Control Protocol, Src Port: 40214 (40214), Dst Port: tacacs (49), Seq: 1693988692, Len: 0
No. Time Source Destination Protocol Info Packet length
2 0.000063 192.168.15.8 172.20.20.20 TCP tacacs > 40214 [SYN, ACK] Seq=574810695 Ack=1693988693 Win=16384 Len=0 MSS=1460 58
Frame 2 (58 bytes on wire, 58 bytes captured)
Ethernet II, Src: DellComp_39:c0:79 (00:06:5b:39:c0:79), Dst: Cisco_7b:80:01 (00:05:00:7b:80:01)
Internet Protocol, Src: 192.168.15.8 (192.168.15.8), Dst: 172.20.20.20 (172.20.20.20)
Transmission Control Protocol, Src Port: tacacs (49), Dst Port: 40214 (40214), Seq: 574810695, Ack: 1693988693, Len: 0
No. Time Source Destination Protocol Info Packet length
3 0.001747 172.20.20.20 192.168.15.8 TCP 40214 > tacacs [ACK] Seq=1693988693 Ack=574810696 Win=4128 Len=0 60
As you can see, the router uses tcp high-ports to communicate with the ACS server tcp port 49.
What is the meaning of UDP port 49 on the router?
09-16-2009 12:48 PM
As I said, the router is using also 49 as its source port. That's why it 's listening to it.
Based on my findings, it isn't.
It uses a high random port for ACS communication to the server.
Still investigating as to why it has UDP 49 in listening mode...
09-16-2009 01:25 PM
OK so here is my understanding:
1- First TACACS+ implementation back in stone ages was based on UDP and then move to TCP. Both use same port number.
Your capture is based on TCP transaction not UDP so it's not relevant.
2 I assume for UDP support, IOS used 49 as source port otherwise I can't explain why the router should listen to this port. It doesn't surprise me as other UDP based protocols have the same behavior.
3. I agree this part of code should be removed if there is no more UDP based TACACS server in the field.
From RFC 1492:
2.0 UDP Encoding: TACACS
This section describes the UDP encoding of the requests that have
just been described. It also describes the responses. This UDP
encoding forms the basis of the historical TACACS protocol.
HTH
Laurent.
09-16-2009 02:01 PM
1- First TACACS+ implementation back in stone ages was based on UDP and then move to TCP. Both use same port number.
Agreed. That was on the server side xtacacs. The client shouldn't be listening to anything unless it's acting like a server which we all know it can't.
Your capture is based on TCP transaction not UDP so it's not relevant.
You can find the same behavior with the same show control-plane command. The client-server connection is made strictly on TCP when ACS services are needed. UDP 49 is never used. I don't understand how the capture is irrelevant.
2 I assume for UDP support, IOS used 49 as source port otherwise I can't explain why the router should listen to this port. It doesn't surprise me as other UDP based protocols have the same behavior.
That's the reason for the initial question. Understanding why the UDP 49 is opened. Your other examples on RIP and LDP are apples and oranges as RIP and LDP aren't client-to-server protocols. LDP may qualify as client to server but as we know the server can be the client and the client can be the server - not the same structure with TACACS+ as the router can't never be the server.
09-16-2009 05:48 PM
Hi,
We are not talking about TACACS+ here which rely only on TCP but about XTACACS. That's why I said the traces were not relevant. They didn't prove what UDP source port is used by the router when configured for XTACACS.
I made some research and found some traces about XTACACS packets:
*Jun 24 10:53:25.881: IP: s=10.48.77.151 (local), d=10.48.75.136 (FastEthernet0), len 66,
sending
*Jun 24 10:53:25.881: UDP src=49, dst=49
*Jun 24 10:53:25.881: IP: s=10.48.77.151 (local), d=10.48.75.136 (FastEthernet0), len 66,
sending full packet
*Jun 24 10:53:25.881: UDP src=49, dst=49
*Jun 24 10:53:25.881: TAC: Send query type LOGIN (1) to 10.48.75.136, Id 8757, ver 0x80,
port 2
*Jun 24 10:53:25.905: IP: s=10.48.75.136 (FastEthernet0), d=10.48.77.151, len 56, rcvd 2
*Jun 24 10:53:25.905
medoc#: UDP src=49, dst=49
So because the router uses 49 as its source port, it must be listening to it as well even if it acts as a client from the application perspective.
From the router point of view, XTACACS is a feature like LDP or RIP without being aware of "client/server" application model.
But I think it's an error to have this port opened when TACACS+ is configured (aaa new-model) because it will never used it.
Edison, I can give you the SR number if you want.
Laurent.
09-17-2009 02:25 AM
Laurent,
Assuming that it is true, how come I am NOT seeing this in IOS version prior to 12.4T when I have "aaa new-model" enable. See below:
C7140>sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 1.2.3.4 1985 0 0 1 0
17 --listen-- 224.0.1.40 496 0 0 61 0
17 10.109.114.10 514 10.10.89.240 58983 0 0 20 0
17 10.109.114.60 514 10.10.89.240 51599 0 0 20 0
17 192.168.15.8 49 10.10.89.240 49 0 0 21 0
17 10.109.114.60 162 192.168.15.1 55473 0 0 0 0
17 192.168.0.254 162 192.168.15.1 50336 0 0 0 0
17 192.168.3.10 67 192.168.15.1 67 0 0 2211 0
17 --listen-- 1.2.3.4 123 0 0 1 0
17 192.168.0.254 1031 10.10.89.240 161 0 0 1 0
17 --listen-- 1.2.3.4 162 0 0 11 0
17 --listen-- 1.2.3.4 55137 0 0 1 0
C7140>
09-17-2009 04:30 AM
I don't know how this part of code evolved during time and between different branches of code.
I tested with 12.2(33)SRD and 12.0S and I can see the router listening to UDP port 49 as soon as I have a tacacs server configured (even without aaa new-model).
Laurent.
09-17-2009 04:14 AM
But I think it's an error to have this port opened when TACACS+ is configured (aaa new-model) because it will never used it.
That's exactly what we are talking about.
09-17-2009 06:06 AM
So what is the answer?
09-17-2009 06:10 AM
Can't find anything, sorry. My suggestion is to open a case with TAC so they can raise a bug if the Business Unit identifies it as such..
__
Edison.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: