topic Re: ISE - FIPS Disabled but SSH using FIPS!?? in Network Access Control

ISE - FIPS Disabled but SSH using FIPS!??

R M C — Tue, 24 Dec 2019 15:37:09 GMT

Merry Christmas Everyone!

I have a quick query...

I have a pair of ISE nodes running 2.4 Patch 10 that seems to insist on trying to use FIPS for SSH/SFTP which I believe is causing the connecttion to fail as the remote server is not FIPS capable.

FIPS Mode is disabled via the GUI, though I can't see where to change this on the CLI.

Any help would be appreciated, below is the error when testing SSH. This is currently preventing me upgrading to 2.6. I have another pair of ISE boxes, running the same version/patch which do not experience this issue.

ise01/admin# ssh <serverIP> diserepo
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh_dispatch_run_fatal: Connection to <serverIP> port 22: error in libcrypto

Many thanks

Mark

Re: ISE - FIPS Disabled but SSH using FIPS!??

Colby LeMaire — Tue, 24 Dec 2019 16:08:15 GMT

Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.

Re: ISE - FIPS Disabled but SSH using FIPS!??

Jason Kunst — Tue, 24 Dec 2019 20:25:59 GMT

@Colby LeMaire wrote:

Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.

agree if that fails might be a bug, check with TAC

Re: ISE - FIPS Disabled but SSH using FIPS!??

R M C — Wed, 25 Dec 2019 02:03:33 GMT

Thanks Colby and Jason

I had try restarting the services and then when that didn't fix it a hard boot but alas neither worked. It looks like a call to TAC. I'll update with the findings.

Thanks again and have a great Christmas.

Mark

Re: ISE - FIPS Disabled but SSH using FIPS!??

EdoukouMelaine81749 — Mon, 27 Apr 2020 09:24:21 GMT

Hello @R M C, any findings here? think in advance

Re: ISE - FIPS Disabled but SSH using FIPS!??

R M C — Mon, 27 Apr 2020 10:08:08 GMT

Hi Melaine

Apologies for the late follow up, TAC found a bug in 2.6 patch 4 and have been able to replicate, it is apparently fixed in 2.6 patch 5 though I've yet to obtain downtime to test, due to current restrictions. As soon as I'm able to, I'll post an update.

Many thanks

Mark

Re: ISE - FIPS Disabled but SSH using FIPS!??

pnowikow — Tue, 26 May 2020 21:53:40 GMT

This fails for me in 2.6 patch 6. I'm opening a case now.

Re: ISE - FIPS Disabled but SSH using FIPS!??

R M C — Wed, 08 Jul 2020 17:14:30 GMT

It is still failing for me in 2.6 patch 6 too. TAC are still investigating.

Re: ISE - FIPS Disabled but SSH using FIPS!??

PSM — Thu, 20 Aug 2020 13:39:02 GMT

Same problem for me as well in 2.6 patch 7. Have you found solution ?

Re: ISE - FIPS Disabled but SSH using FIPS!??

Greg Gibbs — Fri, 21 Aug 2020 07:19:45 GMT

There are a couple of bugs that could be involved here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum13116

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt88460

I would suggest running the following commands from the CLI, capturing the output from the console, and opening a TAC case to investigate further.

debug transfer 7
debug copy 7
show repository <reponame>

Re: ISE - FIPS Disabled but SSH using FIPS!??

R M C — Mon, 24 Aug 2020 11:13:07 GMT

Hi Pradeep

My case is still open, apparently it is a 'feature' that was enabled. They are currently in discussions as to whether this will be disabled in a future release, though that's still with the dev team. Unusually, it doesn't seem to affect SFTP....

I'll post an update as soon as I hear further.
Thanks

Re: ISE - FIPS Disabled but SSH using FIPS!??

R M C — Wed, 10 Mar 2021 18:49:46 GMT

I ended up closing the TAC case, I was no longer able to replicate the issue, I'm not sure if the server team had change encryption ciphers, they certainly hadn't enabled FIPS compliance. But it is now working....

Below is an explanation as to how the repository lookup worked though SSH didn't, I hope it helps someone.

The sh repo command works because it activates SFTP protocol in its underlying script, unlike the SSH command itself (e.g. SSH to Microsoft server will use Microsoft server ciphers, sh repo <name> will SFTP to SFTP server and use the ciphers that are available in that application’s software/version level – again both use-cases being the same L3 address).

Re: ISE - FIPS Disabled but SSH using FIPS!??

davsnet2000 — Wed, 27 Oct 2021 21:35:14 GMT

RMC, Do you remember the TAC case number? I'm running v2.7 p4 and I have this problem when trying to set up FIPS mode for a STIG.When I try to enable FIPS I get the same error. No matter what boxes I deselect it will never go enabled.

Error Message: 'The following "Allowed Protocols" are configured to use non-FIPS compliant protocols. FIPS can not be enabled until these "Allowed Protocols" are deleted or they are edited to use only FIPS compliant protocols.'

Re: ISE - FIPS Disabled but SSH using FIPS!??

tucker1231 — Fri, 14 Jan 2022 12:34:15 GMT

I had the same issue. I disabled MD5 hash and was able to enable FIPS. But, I now can't SSH into ISE since I turning FIPS on.

Re: ISE - FIPS Disabled but SSH using FIPS!??

R M C — Thu, 23 Jun 2022 11:58:54 GMT

Hi Davsnet

Apologies for the delay, my issue was the opposite, I had FIPS disabled however the connection was defaulting to FIPS enabled. The issue appear to resolve itself unfortunately and I could no longer replicate.

Apologies.