topic Re: ISE 2.7 Patch 1 SFTP Repository SSH issue in Network Access Control

ISE 2.7 Patch 1 SFTP Repository SSH issue

Pierre44120 — Wed, 09 Sep 2020 12:19:23 GMT

Hello,

I have created a new SFTP repository on a ISE 2.7 Patch 1 in GUI.

And I get the error below when I try to validate the repository. What did I miss for the config?

Repository validation failed due to error - SSH connect error. Verify configuration. In case Backup was restored on different setup, please re-configure the repository passwords (Expected behaviour)

Below the SFTP server's logs (Windows 2K19 OpenSSH works fine with another SFTP Backup for an other app ) :
13484 2020-09-09 14:15:45.563 debug1: inetd sockets after dupping: 4, 4
13484 2020-09-09 14:15:45.564 Connection from 10.10.9.13 port 15115 on 10.10.9.4 port 22
13484 2020-09-09 14:15:45.566 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
13484 2020-09-09 14:15:45.567 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6 PKIX[11.0]
13484 2020-09-09 14:15:45.567 debug1: match: OpenSSH_7.6 PKIX[11.0] pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
13484 2020-09-09 14:15:45.668 debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
13484 2020-09-09 14:15:45.668 debug1: SSH2_MSG_KEXINIT sent [preauth]
13484 2020-09-09 14:15:45.668 debug1: SSH2_MSG_KEXINIT received [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: algorithm: curve25519-sha256 [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: host key algorithm: ssh-rsa [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: client->server cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: server->client cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none [preauth]
13484 2020-09-09 14:15:45.668 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
13484 2020-09-09 14:15:45.694 debug1: rekey out after 4294967296 blocks [preauth]
13484 2020-09-09 14:15:45.694 debug1: SSH2_MSG_NEWKEYS sent [preauth]
13484 2020-09-09 14:15:45.694 debug1: Sending SSH2_MSG_EXT_INFO [preauth]
13484 2020-09-09 14:15:45.694 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
13484 2020-09-09 14:15:45.695 Connection closed by 10.10.9.13 port 15115 [preauth]
13484 2020-09-09 14:15:45.696 debug1: do_cleanup [preauth]
13484 2020-09-09 14:15:45.697 debug1: monitor_read_log: child log fd closed
13484 2020-09-09 14:15:45.697 debug1: do_cleanup
13484 2020-09-09 14:15:45.697 debug1: Killing privsep child 11252

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

Colby LeMaire — Wed, 09 Sep 2020 13:52:35 GMT

Did you add the server host key to the ISE server CLI using the command "crypto host_key add"?

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

Mike.Cifelli — Wed, 24 Feb 2021 16:14:05 GMT

FYSA I also had a similar issue with ISE2.7p2. The fix was re-adding the host key via CLI as @Colby LeMaire suggested.

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

NgTurngHui7950 — Thu, 12 Aug 2021 07:09:14 GMT

Hi Mike, I tried your method but it did not work. Is there anything else I can explore?

Best Regards,

Ng Turng Hui

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

Milos_Jovanovic — Thu, 12 Aug 2021 07:29:03 GMT

Hi @NgTurngHui7950,

Have you executed 'crypto host_key add' on same server you are trying to access it from? In case of multiple ISE nodes, you need to repeat command on all nodes from which you are attempting to read repository.

BR,

Milos

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

NgTurngHui7950 — Thu, 12 Aug 2021 09:30:02 GMT

Hi Milo,

Yes i did add Crypto host_key add host <Hostname of SFTP Server> on the exec mode.

This was working fine before I upgrade the Cisco ISE from version 2.3.0 to 2.7.0 . I redo the entire process which is to remove the host_key from the CLI and remove the SFTP Server setting on the GUI, reboot the services, added the SFTP Server settings again and lastly added the host_key.

When i type "show repository <Repository Name>" , I am left with the following error.

"Repository sftprepo could not be accessed. In case Backup was restored on different setup, please re-configure the repository passwords (Expected behaviour). Failure occurred during request"

I am in a pickle here. This is just SFTP and is giving me so much problems. Do you have any idea what may be causing this?

Best Regards,

Ng Turng Hui

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

Milos_Jovanovic — Thu, 12 Aug 2021 13:38:33 GMT

You could try to look at logs on the server side, to try to understand something from there, if possible.

It looks you did everything you should. I would contact TAC as next step, as I can't recommend any reasonable troubleshooting step from here.

BR,

Milos

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

SydneyMarihoho54099 — Thu, 05 May 2022 15:48:23 GMT

Hi Ng Tung Hui

I have a similar problem and I would like to know if you managed to resolve your problem and how if you did?

Thanks,

Sydney

Re: ISE 2.7 Patch 1 SFTP Repository SSH issue

Ng Turng Hui — Sat, 14 May 2022 05:00:07 GMT

Hi Sydney,

How I resolve the issue is to upgrade the Cisco ISE to Version 2.7 Patch 4. There is a bug is Cisco Ise Version 2.7 which resulted in failure using SFTP. Hope this helps.

Best Regards,

Ng Turng Hui