powered by Jive Software

Lots of TCP connections in >54000 range on local OpenFire server

Hello! We’re seeing lots of connections (to/from the local machine named XMPP1) in the upper ports 54100-55xxx range. This is a Windows 2016 physical host with SQL Server 2017 Standard for OpenFire database. The OpenFire chat features are working is working fine, but we can’t seem to find the reason for these ports being used. This is blocking access by Veeam and other tools we need to secure and backup the system. Any idea what these connections are, and/or how to assign them to another chunk of ports?

Here is a snipit of NetStat -b on the Windows server:

[openfire-service.exe]
TCP 127.0.0.1:54208 XMPP1:54207 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54209 XMPP1:54210 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54210 XMPP1:54209 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54211 XMPP1:54212 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54212 XMPP1:54211 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54213 XMPP1:54214 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54214 XMPP1:54213 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54215 XMPP1:54216 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54216 XMPP1:54215 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54217 XMPP1:54218 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54218 XMPP1:54217 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54219 XMPP1:54220 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54220 XMPP1:54219 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54221 XMPP1:54222 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54222 XMPP1:54221 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54223 XMPP1:54224 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54224 XMPP1:54223 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54225 XMPP1:54226 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54226 XMPP1:54225 ESTABLISHED
[openfire-service.exe]
TCP 127.0.0.1:54227 XMPP1:54228 ESTABLISHED

What version of Openfire are you using? What plugins are being used? How many concurrent users, and what clients are they using?

My first guess is that this is some kind of media proxy.

Openfire 4.5.2 and we’re using Monitoring Service and Search. About forty users. Thanks!

This does not ring a bell with me. Does temporarily unloading the Monitoring plugin remove that behaviour?

Can you use a packet inspector like Wireshark to see if there is any recognisable data being exchanged?