https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526032#M509650 <HTML><HEAD></HEAD><BODY><P>@Arne,</P><P></P><P>user@ubuntu:~/Desktop$ gpg -v --batch --yes --passphrase correctkey -d UNON_REMOTE_BACKUP-CFG10-180523-0816.tar.gpg &gt; /dev/null</P><P>gpg: AES encrypted data</P><P>gpg: encrypted with 1 passphrase</P><P>gpg: original file name='UNON_REMOTE_BACKUP-CFG10-180523-0816.tar'</P><P><STRONG>gpg: WARNING: encrypted message has been manipulated!</STRONG></P><P>user@ubuntu:~/Desktop$ </P><P></P><P>user@ubuntu:~/Desktop$ gpg -v --batch --yes --passphrase incorrectkey -d UNON_REMOTE_BACKUP-CFG10-180523-0816.tar.gpg &gt; /dev/null</P><P>gpg: AES encrypted data</P><P>gpg: encrypted with 1 passphrase</P><P><STRONG>gpg: decryption failed: Bad session key</STRONG></P></BODY></HTML> Thu, 24 May 2018 04:23:07 GMT kajibola 2018-05-24T04:23:07Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526030#M509647 <HTML><HEAD></HEAD><BODY><P>We have an issue regarding ACS to ISE migration and I don't know if you ve encountered it before.</P><P></P><P>Back-up was done from production ACS 5.8 patch 6 and imported to the LAB/migration ACS 5.8 patch 6. Migration tool was used to migrate config from the migration/lab ACS 5.8 patch 6 to migration/lab ISE 2.3 patch 3. After then back-up was done on migration/ISE lab, we tried restoring the back-up from the lab ISE to the newly deployed ISE but it keeps giving us <STRONG>"wrong encryption key or corrupted download from repository"</STRONG>.</P><P></P><P>We are very sure the encryption key is correct. Backup file have been re-generated and re-downloaded thrice with no success in restoring it to the newly deployed ISE.</P><P></P><P>Note: The migration/lab ISE is running ISE 2.3 patch 3 which is same with the newly deployed ISE.</P><P></P><P>I tried doing a backup and restore from the same newly deployed ISE to itself and it works but back up from the LAB ISE to the newly deployed ISE for restoration is not working.</P><P></P><P>Any pointer?</P><P></P><P><IMG alt="encry.JPG" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/117221_encry.JPG" style="height: 145px; width: 620px;" /></P></BODY></HTML> Thu, 24 May 2018 03:06:54 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526030#M509647 kajibola 2018-05-24T03:06:54Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526031#M509648 <HTML><HEAD></HEAD><BODY><P>Just as a sanity check, copy that tar.gpg file to a Linux server and then use the gpg command to test your decryption key</P><P></P><P>[abier@centos ~]$ <STRONG>gpg -v --batch --yes --passphrase badphrase -d /mnt/hgfs/D/tmp/ISEDailyConfigBackups-CFG10-180524-0300.tar.gpg&nbsp; &gt; /dev/null</STRONG></P><P>gpg: AES encrypted data</P><P>gpg: encrypted with 1 passphrase</P><P>gpg: decryption failed: Bad session key</P><P></P><P>Below is an example of the correct key (I replaced the password with *'s)</P><P>[abier@centos ~]$ <STRONG>gpg -v --batch --yes --passphrase *********&nbsp; -d /mnt/hgfs/D/tmp/ISEDailyConfigBackups-CFG10-180524-0300.tar.gpg&nbsp; &gt; /dev/null</STRONG></P><P>gpg: AES encrypted data</P><P>gpg: encrypted with 1 passphrase</P><P>gpg: original file name='ISEDailyConfigBackups-CFG10-180524-0300.tar'</P><P>[abier@centos ~]$ </P></BODY></HTML> Thu, 24 May 2018 04:02:39 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526031#M509648 Arne Bier 2018-05-24T04:02:39Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526032#M509650 <HTML><HEAD></HEAD><BODY><P>@Arne,</P><P></P><P>user@ubuntu:~/Desktop$ gpg -v --batch --yes --passphrase correctkey -d UNON_REMOTE_BACKUP-CFG10-180523-0816.tar.gpg &gt; /dev/null</P><P>gpg: AES encrypted data</P><P>gpg: encrypted with 1 passphrase</P><P>gpg: original file name='UNON_REMOTE_BACKUP-CFG10-180523-0816.tar'</P><P><STRONG>gpg: WARNING: encrypted message has been manipulated!</STRONG></P><P>user@ubuntu:~/Desktop$ </P><P></P><P>user@ubuntu:~/Desktop$ gpg -v --batch --yes --passphrase incorrectkey -d UNON_REMOTE_BACKUP-CFG10-180523-0816.tar.gpg &gt; /dev/null</P><P>gpg: AES encrypted data</P><P>gpg: encrypted with 1 passphrase</P><P><STRONG>gpg: decryption failed: Bad session key</STRONG></P></BODY></HTML> Thu, 24 May 2018 04:23:07 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526032#M509650 kajibola 2018-05-24T04:23:07Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526033#M509652 <HTML><HEAD></HEAD><BODY><P>Not seen that before.&nbsp; I would speculate that ISE 2.0 signed that backup with an older cipher or something</P><P></P><P>Try the -vv argument for more verbose output - maybe it spits out a useful clue in your case</P><P></P><P>[abier@centos ~]$ <STRONG>gpg -vv --batch --yes --passphrase ****** -d /mnt/hgfs/D/tmp/ISEDailyConfigBackups-CFG10-180524-0300.tar.gpg&nbsp; &gt; /dev/null</STRONG></P><P>:symkey enc packet: version 4, cipher 7, s2k 3, hash 2</P><P> salt 7c73b46bc89be249, count 8912896 (209)</P><P>gpg: AES encrypted data</P><P>:encrypted data packet:</P><P> length: 399761931</P><P> mdc_method: 2</P><P>gpg: encrypted with 1 passphrase</P><P>:literal data packet:</P><P> mode b (62), created 1527095724, name="ISEDailyConfigBackups-CFG10-180524-0300.tar",</P><P> raw data: 399761836 bytes</P><P>gpg: original file name='ISEDailyConfigBackups-CFG10-180524-0300.tar'</P><P>gpg: decryption okay</P></BODY></HTML> Thu, 24 May 2018 04:40:10 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526033#M509652 Arne Bier 2018-05-24T04:40:10Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526034#M509653 <HTML><HEAD></HEAD><BODY><P>ISE 2.3 patch 3 was used</P><P></P><P>user@ubuntu:~/Desktop$ gpg -vv --batch --yes --passphrase **** -d UNON_REMOTE_BACKUP-CFG10-180523-0816.tar.gpg &gt; /dev/null</P><P># off=0 ctb=8c tag=3 hlen=2 plen=13</P><P>:symkey enc packet: version 4, cipher 7, s2k 3, hash 2</P><P>salt 0CD78ED18AD3030F, count 8126464 (207)</P><P>gpg: AES encrypted data</P><P># off=15 ctb=d2 tag=18 hlen=6 plen=56938060 new-ctb</P><P>:encrypted data packet:</P><P>length: 56938060</P><P>mdc_method: 2</P><P>gpg: encrypted with 1 passphrase</P><P># off=40 ctb=ae tag=11 hlen=5 plen=56938014</P><P>:literal data packet:</P><P>mode b (62), created 1527064416, name="UNON_REMOTE_BACKUP-CFG10-180523-0816.tar",</P><P>raw data: 56937968 bytes</P><P>gpg: original file name='UNON_REMOTE_BACKUP-CFG10-180523-0816.tar'</P><P>gpg: WARNING: encrypted message has been manipulated!</P></BODY></HTML> Thu, 24 May 2018 04:52:31 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526034#M509653 kajibola 2018-05-24T04:52:31Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526035#M509654 <HTML><HEAD></HEAD><BODY><P>Funny enough, my example backup file was also taken on ISE 2.3 patch 3! </P><P>The only difference I can see is the gpg stuff</P><P># off=0 ctb=8c tag=3 hlen=2 plen=13</P><P># off=15 ctb=d2 tag=18 hlen=6 plen=56938060 new-ctb</P><P></P><P>I don't know what that means.&nbsp; These gpg files are binary - what are the chances that you inadvertently ftp'd/transferred the file in ASCII mode and not BINARY?&nbsp; It's a long shot but worth checking</P></BODY></HTML> Thu, 24 May 2018 05:26:10 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526035#M509654 Arne Bier 2018-05-24T05:26:10Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526036#M509657 <HTML><HEAD></HEAD><BODY><P>Hi Kusimo,</P><P></P><P>Also something to remember is that you dont know how many backups and restores was done prior to ACS 5.8 p6 to get to that version. As Arne pointed out it could be corruption from ftp as well.</P><P>You can isolate this by taking existing backup(first backup), resetting the ISE config, take a fresh backup and restore it to another ISE server. There by you are avoiding the corruption carried over if any.</P><P>Try restoring the first backup to the same ISE server and see if it comes up avoiding ftp. You can create a local repository for backup. Also for sanity sake I have to say this, make sure you are using the right repository and right file etc...:)</P><P></P><P>Would be good to call TAC to troubleshoot further if it impacts your business.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Thu, 24 May 2018 21:35:08 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526036#M509657 kthiruve 2018-05-24T21:35:08Z https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526037#M509661 <HTML><HEAD></HEAD><BODY><P>Thank you all for the wonderful contributions.</P><P></P><P>Doing checksum on the file and the remote one shows that the hash is no longer the same. Re-uploading and re-downloading it is not even helping as we are still having the encryption key issue.</P><P></P><P>Back up generated and restored on the newly deployed ISE is working without encryption key error.</P><P></P><P>I decide to do my own migration locally and this solves the problem.</P></BODY></HTML> Thu, 31 May 2018 11:36:04 GMT https://community.cisco.com/t5/network-access-control/ise-restore-error-wrong-encryption-key-or-corrupted-download/m-p/3526037#M509661 kajibola 2018-05-31T11:36:04Z