Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2256
Views
0
Helpful
1
Replies

IronPort C170 gives Invalid_server_public_host_key error after IOS upgrade from 10.0.2 to 11.0.0

scottcummins
Level 1
Level 1

‎10-22-2018 02:29 AM

I upgradedmy Ironport C170 Cluster nodes to 11.0.0 from 10.0.2 and now I cannot join one of them back to cluster because I get the follwoing error

Machine mail.paytel.com (Serial #: 5057A8E1FEB6-FTX1621M01Q) -
disconnected: mail2.paytel.com -> mail.paytel.com: Network communication error:
<Invalid_Server_Public_host_Key host_id=<IPv4_Remote_Host_ID instance
ip='10.50.30.11' hostname=None>> (Mon Oct 22 05:24:05 2018 EDT)
Machine mail2.paytel.com (Serial #: 5057A8E1FA93-FTX1621M01C)

 

Also sends me an e-mail saying 

 

Error connecting to cluster machine mail.paytel.com (Serial #: 5057A8E1FEB6-FTX1621M01Q) at IP 10.50.30.11 - Invalid host key - No public host keys matched the remote host.

 

Version: 11.0.0-274

Serial Number: 5057A8E1FA93-FTX1621M01C

Timestamp: 22 Oct 2018 05:23:39 -0400

 

I do not know enough about this to try and remedy it without some assistance, can anyone direct me in the right recourse?

2 people had this problem
Labels:
0 Helpful
1 Reply 1

munbali
Cisco Employee
Cisco Employee

‎10-22-2018 02:49 AM

Hello scottcummins

this is caused by a behavior change introduced in versions 11.x and above, feel free to check page 14 of the below release notes:
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa11-0/ESA_11-0_Release_Notes.pdf

"During cluster communication, host key verifications are now performed
based on SSH-RSA only."

in order to resolve this issue you can do the following:
log in to each one of the appliances CLI and issue the command :
logconfig ssh hostkey scan <hostname_or_IP_address>

replace the <hostname_or_IP_address> with the actual IPs for your machines
so if you have 2 machines you need to issue the command twice each with the IP of one if the machines , and repeat the procedure on the second appliance as well
and make sure to commit the changes after the keys are added

Regards,
Muna Bali
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents