Understanding Why Discovery Connects to the Wrong Port<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Overview During the first phase of a Discovery run, ServiceNow performs a scan of a predefined list of ports to determine which ports are open on a target device. Once an open port is found, Discovery attempts to identify the device using the protocol associated with that port. This choice determines the rest of the Discovery flow and ultimately how the Configuration Item is created or updated in the CMDB. For example, if port 22 is open, Discovery may classify the device using SSH, which corresponds to UNIX or Linux operating systems. If port 22 is not open and port 161 is available, Discovery will classify the device using SNMP, which is common for network, storage, or hardware appliances. The order in which Discovery checks each port determines the protocol used. How Port Order Affects Device Classification Discovery examines the list of ports in a specific sequence. When it finds an open port, it attempts to connect and identify the device. Discovery does not continue checking additional ports once a successful connection is made. Therefore, if SSH appears earlier in the scan order and the device is responding on port 22, Discovery will use SSH even if the customer intends for Discovery to classify the device using SNMP on port 161. This behavior is expected and is part of the design of the Discovery process. The port that responds first dictates the classification method. Common Causes A device may have an unexpected port enabled that the customer is not aware of. Different devices of the same type may have inconsistent port configurations. Default vendor settings may leave ports such as SSH enabled even when not needed. Network or firewall rules may allow one protocol but not another, affecting the port that responds first. Resolution To ensure that Discovery identifies the device using the correct protocol, customers should review the configuration of the device and confirm which ports it exposes. If SSH is enabled and the intent is for Discovery to classify using SNMP, the administrator may need to disable SSH or ensure that SNMP is consistently available and reachable. Discovery always selects the first port that responds in the scan sequence, so making sure the intended protocol port is accessible is essential. If a different scan order is required for a customer’s environment, Discovery can be customized. Modifications to the port scanning sequence are considered implementation work and fall outside standard ServiceNow Support. These changes can be performed by a qualified implementation partner or customer development team. Conclusion Discovery selects ports based on availability and scan order, and this determines how the device is classified. When Discovery uses a protocol that the customer did not expect, the cause is almost always that the earlier port in the scan list is open and responding. Once the device’s port configuration is aligned with the intended protocol, Discovery will classify the device accurately and consistently.