Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1006
Views
2
Helpful
9
Replies

Does anyone reads this? Cisco XE always on sandboxes are not working.

DMYTROLUKINYKH18058
Level 1
Level 1

‎11-07-2023 08:56 PM

I am  not able to ssh or netconf to the following devnet environment: IOS XE on Catalyst Latest Code Always On
It seems like there is something wrong with how the sandbox is set up, or the credentials are simply wrong. When I ssh into it admin@sandbox-iosxe-latest-1.cisco.com (password C1sco12345 ) , I get the following error: 

kex_exchange_identification: read: Connection reset by peer
Connection reset by 131.226.217.143 port 22

When I attempt to connect with python/netconf, I get this error:

ncclient.transport.errors.SSHError: Negotiation failed: Error reading SSH protocol banner[Errno 104] Connection reset by peer

I am not sure who to reach out to, but this should be fixed by sandbox support, I am pretty sure there is no issue in my code, because it is working with other dev environments. 

Similarly, I am not able to use the following development environment:IOS XE on CSR Recommended Code AlwaysOn

Before I was at least able to ssh into the latter device by changing the key exchange method to a more outdated one like this: 

ssh -oKexAlgorithms=diffie-hellman-group1-sha1 developer@sandbox-iosxe-recomm-1.cisco.com (password lastorangerestoreball8876 ) but now it is also producing error: 

Unable to negotiate with 131.226.217.149 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Please fix those sandboxes so that students can practice using netconf/restconf on them. They have been broken for a while, please don't ignore 

1 person had this problem
Labels:
9 Replies 9

bigevilbeard
VIP
VIP

‎11-08-2023 02:04 AM

@DMYTROLUKINYKH18058 i spoke with the team on this last week - they are aware there is some malicious use of the sandboxes which locks other user out of the sandbox until the team can restore them. There is no SLA on the sandboxes for the team to fix these, they are free resource provided to the community. You can use the reservation based XE or CML sandbox whilst the always on ones are down or simply spin up an XE device locally in Vagrant/Virtual Box for personal use.

For your ssh key issue you can specify the key exchange algorithm to use on the SSH command line.  OpenSSH version 7. SHA1 is weak, so support for it has been removed on Mac for a while now (forget how long)

ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 user@host

Or my usual fix for this is to edit the macs ssh_config file directly and allow the older (less secure) connection methods. In your 

sudo vim /etc/ssh/ssh_config

The add the following lines and wq

HostkeyAlgorithms ssh-dss,ssh-rsa
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io
0 Helpful

DMYTROLUKINYKH18058
Level 1
Level 1
In response to bigevilbeard

‎11-08-2023 08:30 AM

I'm glad they are aware. Thank you for passing it to them.

Reservation sandboxes require the installation of the VPN app on my machine which I am trying to avoid. 

Your SSH solution works for other boxes, but not for sandbox boxes in question. 

This is unfortunate that it is community resources, because the Cisco Devnet course references those, and CbtNuggets Devnet classes are also referencing those, and for now we do not have any alternatives except the single XE reservation sandbox which requires the VPN installation (note, I can not install VPN application on my current working machine). I really hope they will get fixed soon. Meanwhile, I will need to move my dev environment to another machine (which will take some time) and start reserving those sandboxes. 

0 Helpful

jokearns1
Cisco Employee
Cisco Employee

‎11-08-2023 09:52 AM

Hi, 

First off, apologies for the issues you are seeing. We are aware of  accessibility problems with these AO labs and are working through them. Being accessed by multiple users brings its own challenges regarding security. 

I have just tested access now and am hitting the same issue. Will reach out here when we have resolved the issue. 

Regards, 

Support 

DMYTROLUKINYKH18058
Level 1
Level 1

‎11-12-2023 03:46 PM - edited ‎11-13-2023 08:26 AM

.

0 Helpful

jokearns1
Cisco Employee
Cisco Employee
In response to DMYTROLUKINYKH18058

‎11-13-2023 10:13 AM

Hi, 

I have reached out to you 1-1.

Joe

0 Helpful

rochimbetete
Level 1
Level 1
In response to jokearns1

‎12-13-2023 08:21 AM

IOS XE on Cat8kv AlwaysOn Lab

 

Please may you fix this for eveyone

0 Helpful

bigevilbeard
VIP
VIP
In response to rochimbetete

‎12-13-2023 08:45 AM

@rochimbetete what is your issue?

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io
0 Helpful

jokearns1
Cisco Employee
Cisco Employee
In response to rochimbetete

‎12-13-2023 09:35 AM

Hi, 

The AO lab is accessible:

ssh admin@sandbox-iosxe-latest-1.cisco.com

Joe

0 Helpful

jokearns1
Cisco Employee
Cisco Employee

‎12-13-2023 09:38 AM

Just an FYI: We have blocked ports 80 and 443 due to a security advisory. We will be patching the server in the new year and opening those ports again. 

0 Helpful
Customers Also Viewed These Support Documents