Solved: Dose anybody know what this 185.53.178.9 address is? Any why my ISE cluster wants to connect to it v...

John Palmason · ‎03-03-2019

I have a newly installed ISE 2.3 install in a DMZ and I am seeing attempts for my cluster to reach out to port 80 on this IP address 185.53.178.9. I can't tell if this is something I should expect from our node or if its safe to keep blocking it and move on with my life. I am trying to keep whats allowed out of the DMZ to a minimum of course and wanted to know if anybody else know the reason for this access request.

Thank you,

Damien Miller · ‎03-04-2019

Ha, I did the same thing when I first saw this. ISE can reach out to the internet on port 80 for CRL, only reason I can think of it hitting some random IP.

If it's constant I would pcap it.

View solution in original post

Arne Bier · ‎03-03-2019

Doesn't look good at all

https://www.abuseipdb.com/whois/185.53.178.9

Where did you detect this? Coming from the ISE host(s) ?

Damien Miller · ‎03-04-2019

Ha, I did the same thing when I first saw this. ISE can reach out to the internet on port 80 for CRL, only reason I can think of it hitting some random IP.

If it's constant I would pcap it.

John Palmason · ‎03-04-2019

I first found this while trying to watch my firewall logs for a new DMZ setup where we will have a stand alone ISE 2 node deployment for guest access only. So the goodness is this isn't a cluster that is inside my PROD network, its a new install on VM ware and it seems to be the only external connectivity that this cluster is making other than DNS requests. This traffic is currently blocked and has never been allowed to contect.

Maybe it's time for a TAC, thanks for the reply's

Dose anybody know what this 185.53.178.9 address is? Any why my ISE cluster wants to connect to it via port 80.