Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
4173
Views
5
Helpful
9
Replies

ISE2.4 : SFTP backup : failure using GUI but Success with CLI

Go to solution
ASD SOC Tata Communications
Level 1
Level 1

ā€Ž04-08-2019 01:40 AM

I am running ISE 2.4 with patch 5.

I have scheduled a SFTP weekly configuration backup to a NAS protected by a FW.(See config attached).

the port 22 is open.

 

The weekly configuration backup runs on Sunday. On Monday, when I check the backup is frozen at 0 percent. 

 

When I run the same backup with the CLI :

backup UKL78PTAC01_Weekly_Backup_xxx repository SFTP_NAS ise-config encryption-key plain xxxx

UKL78PTAC01/admin# backup UKL78PTAC01_Weekly_Backup_xxxx repository SFTP_NAS ise-config encryption-key plain xxxx
% Internal CA Store is not included in this backup. It is recommended to export it using "application configure ise" CLI command
% Creating backup with timestamped filename: UKL78PTAC01_Weekly_Backup_xxxx-CFG10-190408-0758.tar.gpg
% backup in progress: Starting Backup...10% completed
% backup in progress: Validating ISE Node Role...15% completed
% backup in progress: Backing up ISE Configuration Data...20% completed

% backup in progress: Backing up ISE Indexing Engine Data...45% completed

 

% backup in progress: Backing up ISE Logs...50% completed

% backup in progress: Completing ISE Backup Staging...55% completed
% backup in progress: Backing up ADEOS configuration...55% completed
% backup in progress: Moving Backup file to the repository...75% completed

% backup in progress: Completing Backup...100% completed
UKL78PTAC01/admin#

 

It works.

 

When I select the NAS_SFTP repository, I cannot see the stored backup files.

Any idea ?

Do I have to open another port in the FW which may be used by the GUJI and not with the CLI backup command?

Thanks

1 person had this problem
Preview file
54 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Nadav
Level 7
Level 7
In response to Damien Miller

ā€Ž04-10-2019 02:16 AM

I can confirm that:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp12131

 

Exists also in ISE 2.4 Patch 7. 

View solution in original post

0 Helpful

Go to solution
RaffyLindogan
Spotlight
Spotlight
In response to Nadav

ā€Ž04-10-2019 11:24 PM

Hi mate,

 

Was their any event that occured during the scheduled date.

I have had this experience before where WAN link was under maintenance and we lost communication to ISE.

We noticed that backup was stuck to some percentage and the only way to clear it was through the Root access on ISE.

TAC should be able to generate Root Patch for you and will clear the session that is stuck.

Thanks.

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Nadav
Level 7
Level 7

ā€Ž04-08-2019 04:12 AM

This patch level is after the SFTP backup failures have been fixed.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj86877/?rfs=iqvred

 

Since you can perform the SFTP backup via CLI, this means that your SFTP server supports the SSH client you have installed for ISE (sometimes there can be incompatibilities due to key-exchange mechanisms and such). 

 

What this leaves us with is a bug.

 

Here are known bugs you may be encountering:

 

1) https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo21622/?rfs=iqvred

2) https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg52304/?rfs=iqvred

 

If neither of them seem to be the cause, I'd try the following:

 

1) Rather than scheduled, try a manual backup to the repository via GUI. Does this work? If so, the problem is with scheduled backups. Open a TAC case.

 

2) If manual backups via GUI don't work, try performing a manual backup with a simple password (less than 16 characters, alpha-numeric characters only). Does this work? If so, the problem is supported password characters/length via GUI. Open a TAC case.

 

 

 

 

0 Helpful

Go to solution
ASD SOC Tata Communications
Level 1
Level 1
In response to Nadav

ā€Ž04-08-2019 06:40 AM

Thanks.

i have tried several sftp transfers as you advised (manual with GUI  and/or short password) but no way. I will check the Firewall with the IT team, just in case some other ports are needed. Only the CLI sftp transfer works.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to ASD SOC Tata Communications

ā€Ž04-08-2019 06:46 AM

Since it works via the cli, I wouldn't bother with the firewall team. I would also suggest opening a TAC case to identify the issue you are having.

Adding to Nadav's list, there is another backup bug too if you were to go to patch 6.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp12131

Go to solution
Nadav
Level 7
Level 7
In response to Damien Miller

ā€Ž04-10-2019 02:16 AM

I can confirm that:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp12131

 

Exists also in ISE 2.4 Patch 7. 

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Nadav

ā€Ž04-10-2019 11:11 AM

I honestly have no idea why this specific comment is marked as a solution :)
0 Helpful

Go to solution
RaffyLindogan
Spotlight
Spotlight
In response to Nadav

ā€Ž04-10-2019 11:24 PM

Hi mate,

 

Was their any event that occured during the scheduled date.

I have had this experience before where WAN link was under maintenance and we lost communication to ISE.

We noticed that backup was stuck to some percentage and the only way to clear it was through the Root access on ISE.

TAC should be able to generate Root Patch for you and will clear the session that is stuck.

Thanks.

 

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to RaffyLindogan

ā€Ž04-11-2019 08:33 AM

Hi,


This specific bug is a matter of configuration persistence. Something is configured, the PAN is reset, that configuration no longer sticks and needs to be reconfigured. The backup isn't even attempted at the scheduled time until you enable and disable scheduled backups.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to ASD SOC Tata Communications

ā€Ž04-08-2019 10:19 AM

No other ports are necessary. Port 22 from ISE to repository, that's it.

Feel free to check with the firewall team though, especially if you have an
IDS.
0 Helpful

Go to solution
gillessapene
Level 1
Level 1
In response to Nadav

ā€Ž05-20-2019 01:59 AM

Sorry for the delay but I was not in cc.
FYI,

The FW port(TCP/22) is opened, we have no IDS and the backup task works fine when I run it from the CLI.
The scheduled configuration backup was working fine when I was using FTP, but due to the backup file size, I have moved to a NAS which , due to security reasons, is only reachable with SFTP.

NB: When I run manually the backup from the CLI, I see that the GUI is updated with the percentage (same messages as CLI).
There has been no ISE reset or LAN issue since the ISE is live.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents