Solved: Cisco DNA and Winscp

Macky05 · ‎10-07-2022

Hi Everyone,

I am need to transfer a file in DNAC and trying to used Winscp but unfortunately I am getting some error messages like Bash is recommended. I change the shell setting to Bash but still no luck. Can someone please kindly advice or give some direction how I can get this file in the DNAC with or without winscp.

I need to get file: CSCwb00526.sh.zip from:https://software.cisco.com/download and transfer to DNAC /data/tmp

See some pic below:

I think I getting SCP / Shell setting wrong. Any direction to set this up. Please help!

It seems to have been authenticated but yet it fails with an error message. See below:

Any advice will be appreciated. Thanks

willwetherman · ‎10-08-2022

Ok that is interesting.

I have just installed the latest version of WinSCP (5.21.5), with default settings, and I can connect to my DNAC 2.3.3.4 server using SFTP and transfer files without any issues, however If I change the protocol to SCP, I receive the same error 'Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended)'.

For comparison, I performed the same test on a DNAC 2.2.2.8 server and I can connect and transfer files using both SFTP and SCP so I suspect that the SCP issue is related to the restricted shell feature that is enabled by default in the later versions of DNAC.

I disabled restricted shell on DNAC 2.3.3.4 and now SCP is working correctly. You can disable the restricted shell using the following command. Can you give this a go and see if it fixes the issue?

_shell -c 'sudo magctl ssh shell bash'

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-3/admin_guide/b_cisco_dna_center_admin_guide_2_3_3/b_cisco_dna_center_admin_guide_2_3_3_chapter_010.html#Cisco_Task_in_List_GUI.dita_54088...

If this still fails to work, DNAC has an SFTP/SCP client that can be used to transfer files from a remote server to a local path. For example, you can use the following command from the DNAC CLI to transfer file 'test.txt' from remote SFTP server 192.168.1.1 to /data/tmp.

sftp user@192.168.1.1:test.txt /data/tmp

View solution in original post

willwetherman · ‎10-07-2022

Hi @Macky05

I use WinSCP regularly to transfer files to/from DNAC. The fie protocol should be SFTP and not SCP. Can you set the protocol to SFTP and try again?

Hope that this helps

Will

Macky05 · ‎10-07-2022

Hi @willwetherman

I also tried with SFTP, and it failed.

With DNAC version Version 2.3.2.0, it seems there is no option to setup the stfp server.

However, I once troubleshooted with TAC and scp was used with some changes made in the Advance setting -> Shell of winSCP, just can't remember how the shell path was set. I have tried different paths but no luck. I am sure Cisco customized the defaults shell paths. Can anyone please let me know what this path could be or the advance setting?

willwetherman · ‎10-08-2022

Ok that is interesting.

I have just installed the latest version of WinSCP (5.21.5), with default settings, and I can connect to my DNAC 2.3.3.4 server using SFTP and transfer files without any issues, however If I change the protocol to SCP, I receive the same error 'Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended)'.

For comparison, I performed the same test on a DNAC 2.2.2.8 server and I can connect and transfer files using both SFTP and SCP so I suspect that the SCP issue is related to the restricted shell feature that is enabled by default in the later versions of DNAC.

I disabled restricted shell on DNAC 2.3.3.4 and now SCP is working correctly. You can disable the restricted shell using the following command. Can you give this a go and see if it fixes the issue?

_shell -c 'sudo magctl ssh shell bash'

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-3/admin_guide/b_cisco_dna_center_admin_guide_2_3_3/b_cisco_dna_center_admin_guide_2_3_3_chapter_010.html#Cisco_Task_in_List_GUI.dita_54088...

If this still fails to work, DNAC has an SFTP/SCP client that can be used to transfer files from a remote server to a local path. For example, you can use the following command from the DNAC CLI to transfer file 'test.txt' from remote SFTP server 192.168.1.1 to /data/tmp.

sftp user@192.168.1.1:test.txt /data/tmp

Macky05 · ‎10-18-2022

Hi @willwetherman

Thanks very much.

Bypassing the restriction shell with the command:

_shell -c 'sudo magctl ssh shell bash'

I could get remote access with winSCP via SFTP or SCP.

The reference link you provided is also very handy:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-3/admin_guide/b_cisco_dna_center_admin_guide_2_3_3/b_cisco_dna_center_admin_guide_2_3_3_chapter_010.html#Cisco_Task_in_List_GUI.dita_54088...

Thanks a lot.

akintundeoloyede11 · ‎05-07-2024

Hello

Is this solution applicable to ISE, I am trying to patch file to ISE repository, i have an WINSCP on my laptop. Pls advise

estetson · ‎10-12-2022

Are you using "maglev" as your username? I can't speak on WinSCP, but I'm able to connect to my Cisco DNA Cluster running 2.3.2.1 using SFTP with Filezilla.

For a protocol I'm using SFTP, port 2222 and username maglev. You need to use your maglev username/password since you're essentially accessing the CLI, not the administrator GUI username/password.
Other than that, my advanced, transfer settings, charset, etc are all default.

maflesch · ‎05-09-2024

To note, the command "sudo magctl ssh shell bash" will not work on 2.3.5.x and above. The correct method is to use sftp in winscp with the username as maglev and port 2222, along with the shell profile set to default not /bin/bash. This will allow you access to the file system in the restricted shell.

As a side note, please save all files in the artifacts directory as this directory has the most space and will not cause service disruption of the partition gets full.

akintundeoloyede11 · ‎05-09-2024

Hello

I need clarity on this method:
1. What password to use for maglev username
2. Does this method require i run a sudo command on ise before trying to
connect with sftp?
3. With this option do I need to create a repository ahead of time?
4. Pls confirm this is right
[image: image.png]

maflesch · ‎05-09-2024

Hi,

1. You would use the SSH login password for the WinSCP or any file transfer program.
2. Cisco ISE's restricted shell runs differently than Cisco Catalyst Center's (formerly known as Cisco DNA Center). I don't believe Cisco ISE allows most Linux commands such as sudo. I'm not sure how it is supposed to work there. Magctl/maglev commands will not work on Cisco ISE.
3. As above, this post is for Cisco Catalyst Center, not for Cisco ISE. Cisco ISE has it's own requirements.
4. I don't see any image so I cannot confirm what is right or now.

akintundeoloyede11 · ‎05-09-2024

Thanks, The issue I am having is related to Cisco ISE, I am trying to
upload a patch file to a repository on Cisco ISE. Does the debug output
below make any sense to you?
I can't find patch file uploadED to my ftp server in the repository, error
message says the repository is empty.

P-ISE-02/admin# 6 [8882]:[info] transfer: cars_xfer.c[220] [system]: ftp
dir of repository ftp_ise requested
7 [8882]:[debug] transfer: cars_xfer_util.c[2056] [system]: ftp get dir for
repos ftp_ise
7 [8882]:[debug] transfer: cars_xfer_util.c[2068] [system]: initializing
curl
7 [8882]:[debug] transfer: cars_xfer_util.c[2079] [system]: full url is
ftp://172.22.51.12/home/ftpuser/ftp/
3 [8882]:[error] transfer: cars_xfer_util.c[2096] [system]: curl error:
Access denied to remote resource
6 [8882]:[info] transfer: cars_xfer.c[220] [system]: ftp dir of repository
ftp_ise requested
7 [8882]:[debug] transfer: cars_xfer_util.c[2056] [system]: ftp get dir for
repos ftp_ise
7 [8882]:[debug] transfer: cars_xfer_util.c[2068] [system]: initializing
curl
7 [8882]:[debug] transfer: cars_xfer_util.c[2079] [system]: full url is
ftp://172.22.51.12/home/ftp/
3 [8882]:[error] transfer: cars_xfer_util.c[2096] [system]: curl error:
Access denied to remote resource
6 [8882]:[info] transfer: cars_xfer.c[220] [system]: ftp dir of repository
ftp_ise requested
7 [8882]:[debug] transfer: cars_xfer_util.c[2056] [system]: ftp get dir for
repos ftp_ise
7 [8882]:[debug] transfer: cars_xfer_util.c[2068] [system]: initializing
curl
7 [8882]:[debug] transfer: cars_xfer_util.c[2079] [system]: full url is
ftp://172.22.51.12/ftp/
7 [8882]:[debug] transfer: cars_xfer_util.c[1967] [system]: initializing
curl
7 [8882]:[debug] transfer: cars_xfer_util.c[1980] [system]: full url is
ftp://172.22.51.12/ftp/ise-patch
bundle-2.4.0.357-Patch14-21041509.SPA.x86_64 (1).tar.gz
7 [8882]:[debug] transfer: cars_xfer_util.c[2001] [system]: res: 0
7 [8882]:[debug] transfer: cars_xfer_util.c[2005] [system]: res:
0-----filetime ise-patchbundle-2.4.0.357-Patch14-21041509.SPA.x86_64
(1).tar.gz: Fri Jul 1 18:42:25 2022
7 [8882]:[debug] transfer: cars_xfer_util.c[2011] [system]: filetime
ise-patchbundle-2.4.0.357-Patch14-21041509.SPA.x86_64 (1).tar.gz: Fri Jul
1 18:42:25 2022
7 [8882]:[debug] transfer: cars_xfer_util.c[2015] [system]: filesize
ise-patchbundle-2.4.0.357-Patch14-21041509.SPA.x86_64 (1).tar.gz:
4351901735 bytes

maflesch · ‎05-09-2024

I understand however, this isn't a thread for Cisco ISE, this is a thread for Cisco Catalyst Center (Cisco DNA Center) within the forum space for Cisco Catalyst Center.

For Cisco ISE questions, it would be better to ask in that forum which should be under Network Management:

https://community.cisco.com/t5/network-management/bd-p/5931-discussions-network-management

From my limited dealings with Cisco ISE though, I had to put the patch on a Linux server I was using for backups, then create a repository on Cisco ISE pointing to the backup server and the file. At that point I was able to patch/upgrade Cisco ISE.

akintundeoloyede11 · ‎05-10-2024

Hello Friend

Thank you for your response and advise

See below my ftp-Server configuration and my debug output from from, Kindly
look through and advise on what i am missing PLSSSSSSSS

[root@redhattemplate xpadmin]# cd /homr
bash: cd: /homr: No such file or directory
[root@redhattemplate xpadmin]# cd /home/ftpuser/
[root@redhattemplate ftpuser]# ls
ftp
[root@redhattemplate ftpuser]# cd ftp
[root@redhattemplate ftp]# ls
ise-patchbundle-2.7.0.356-Patch10-23082414.SPA.x86_64.tar.gz
[root@redhattemplate ftp]# pwd
/home/ftpuser/ftp
[root@redhattemplate ftp]#
[root@redhattemplate ftp]# mkdir /ftp
[root@redhattemplate ftp]# cp
ise-patchbundle-2.7.0.356-Patch10-23082414.SPA.x86_64.tar.gz /ftp
[root@redhattemplate ftp]# chown ftpuser:ftpuser /ftp
[root@redhattemplate ftp]# chmod 755 /ftp
[root@redhattemplate ftp]# cd /ftp
[root@redhattemplate ftp]# ls
ise-patchbundle-2.7.0.356-Patch10-23082414.SPA.x86_64.tar.gz
[root@redhattemplate ftp]#

ISE Repository Debug

XP-ISE-02/admin# debug transfer 7
XP-ISE-02/admin# show repository ftp_ise
6 [27330]:[info] transfer: cars_xfer.c[220] [admin]: ftp dir of repository
ftp_ise requested
7 [27330]:[debug] transfer: cars_xfer_util.c[2056] [admin]: ftp get dir for
repos ftp_ise
7 [27330]:[debug] transfer: cars_xfer_util.c[2068] [admin]: initializing
curl
7 [27330]:[debug] transfer: cars_xfer_util.c[2079] [admin]: full url is
ftp://172.22.51.12:/
7 [27330]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing
curl
7 [27330]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12:/RADIUS2024_05_08_04_03_21.tar.gpg
7 [27330]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 0
7 [27330]:[debug] transfer: cars_xfer_util.c[2005] [admin]: res:
0-----filetime RADIUS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:26 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2011] [admin]: filetime
RADIUS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:26 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2015] [admin]: filesize
RADIUS2024_05_08_04_03_21.tar.gpg: 1195 bytes
7 [27330]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing
curl
7 [27330]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12:/TACACS2024_05_08_04_03_21.tar.gpg
7 [27330]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 0
7 [27330]:[debug] transfer: cars_xfer_util.c[2005] [admin]: res:
0-----filetime TACACS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:27 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2011] [admin]: filetime
TACACS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:27 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2015] [admin]: filesize
TACACS2024_05_08_04_03_21.tar.gpg: 665 bytes
7 [27330]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing
curl
7 [27330]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12:/ftp
7 [27330]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 19
7 [27330]:[debug] transfer: cars_xfer.c[268] [admin]: freed file list
RADIUS2024_05_08_04_03_21.tar.gpg
TACACS2024_05_08_04_03_21.tar.gpg
ftp
[image: image.png]

maflesch · ‎05-10-2024

I cannot say this enough, this forum is not for Cisco ISE, it is for Cisco Catalyst Center. Please use the forum under Network Management for questions related to Cisco ISE operations. That is going to be the best place for you to get support and have your question answered.