IronPort C170 gives Invalid_server_public_host_key error after IOS upgrade from 10.0.2 to 11.0.0

scottcummins · ‎10-22-2018

I upgradedmy Ironport C170 Cluster nodes to 11.0.0 from 10.0.2 and now I cannot join one of them back to cluster because I get the follwoing error

Machine mail.paytel.com (Serial #: 5057A8E1FEB6-FTX1621M01Q) -
disconnected: mail2.paytel.com -> mail.paytel.com: Network communication error:
<Invalid_Server_Public_host_Key host_id=<IPv4_Remote_Host_ID instance
ip='10.50.30.11' hostname=None>> (Mon Oct 22 05:24:05 2018 EDT)
Machine mail2.paytel.com (Serial #: 5057A8E1FA93-FTX1621M01C)

Also sends me an e-mail saying

Error connecting to cluster machine mail.paytel.com (Serial #: 5057A8E1FEB6-FTX1621M01Q) at IP 10.50.30.11 - Invalid host key - No public host keys matched the remote host.

Version: 11.0.0-274

Serial Number: 5057A8E1FA93-FTX1621M01C

Timestamp: 22 Oct 2018 05:23:39 -0400

I do not know enough about this to try and remedy it without some assistance, can anyone direct me in the right recourse?

munbali · ‎10-22-2018

Hello scottcummins

this is caused by a behavior change introduced in versions 11.x and above, feel free to check page 14 of the below release notes:
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa11-0/ESA_11-0_Release_Notes.pdf

"During cluster communication, host key verifications are now performed
based on SSH-RSA only."

in order to resolve this issue you can do the following:
log in to each one of the appliances CLI and issue the command :
logconfig ssh hostkey scan <hostname_or_IP_address>

replace the <hostname_or_IP_address> with the actual IPs for your machines
so if you have 2 machines you need to issue the command twice each with the IP of one if the machines , and repeat the procedure on the second appliance as well
and make sure to commit the changes after the keys are added

Regards,
Muna Bali