Why is port tcp/81 open and listening on my MX devices on the inside interface?

mvalpreda
Here to help

Why is port tcp/81 open and listening on my MX devices on the inside interface?

Been doing some vulnerability scanning and it came back that all of our 6 MX devices are listening and responding on tcp/81 on the inside interface. I go to the IP of the MX internally on port 81 in a browser and get a 404
 
Not Found
The requested URL / was not found on this server.
 
Does it on my MX64 at home at well, checked another MX100....tcp/81 all open and giving 404. Same error on all of them. None of these devices have port 81 open on the firewall to anything. Some don't have any incoming ports open.
 
Called into support and they said it will listen on all ports and reply. Not true since I can go to a browser and put in port anything and get nothing. It's just tcp/81.
 
Anyone have any idea what is going on?
3 REPLIES 3
ww
Kind of a big deal
Kind of a big deal

Some ports are open on the lan side to provide web pages like blocked info for content filtering.  Splash page, local status page. 

Bruce
Kind of a big deal

Interesting one... I did some digging and looks like it might be where an icon was once stored. The root for my MX on port 81 seems to redirect to http://<MX IP Address>:81/favicon.ico - and throws the 404 error. Maybe someone at Meraki can explain this one, or close the port if its no longer used.

oldroo
Getting noticed

This is one of a few issues i found out with equipment.

 

Amongst things like hosts in vlan's being about to ping the gateways of other vlans ( which to me is a security issue in itself even though according to support is built to be like this - cannot think of a reason why, even when you have firewall rules saying not to allow it ), you can also get to port 80 of all these vlans which is also a non secure protocol that is automatically open.

 

At least they could do HTTPS ???

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels