Re: Cisco ISE Repository

akintundeoloyede11 · ‎05-06-2024

Hi Team

Need help with files uploaded to cisco ise repository. All settings related to FTP and file permission done but yet couldn't access files in the repository. See below error message:

XP-ISE-02/admin(config)# repository ftp-repo
XP-ISE-02/admin(config-Repository)# url ftp://172.22.51.12
XP-ISE-02/admin(config-Repository)# user ftpuser password plain P@ssw0rd
XP-ISE-02/admin(config-Repository)# exit
XP-ISE-02/admin(config)# exit
XP-ISE-02/admin# debug transfer 7
XP-ISE-02/admin# sh repository ftp-repo
6 [890]:[info] transfer: cars_xfer.c[220] [admin]: ftp dir of repository ftp-repo requested
7 [890]:[debug] transfer: cars_xfer_util.c[2056] [admin]: ftp get dir for repos ftp-repo
7 [890]:[debug] transfer: cars_xfer_util.c[2068] [admin]: initializing curl
7 [890]:[debug] transfer: cars_xfer_util.c[2079] [admin]: full url is ftp://172.22.51.12/
7 [890]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing curl
7 [890]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is ftp://172.22.51.12/ftp
7 [890]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 19
7 [890]:[debug] transfer: cars_xfer.c[268] [admin]: freed file list
ftp

Torbjørn · ‎05-06-2024

Did you attempt to upload/download from the CLI or UI? What copy command did you use?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

akintundeoloyede11 · ‎05-06-2024

Attempt is to upload patch file to the ise repository using ftp, file has
been uploaded to the ftpserver and all necessary permission granted however
each time the sh repository command is run there is no file display in the
repository hence the error message below.

XP-ISE-02/admin(config)# repository ftp-repo
XP-ISE-02/admin(config-Repository)# url ftp://172.22.51.12
XP-ISE-02/admin(config-Repository)# user ftpuser password plain P@ssw0rd
XP-ISE-02/admin(config-Repository)# exit
XP-ISE-02/admin(config)# exit
XP-ISE-02/admin# debug transfer 7
XP-ISE-02/admin# sh repository ftp-repo
6 [890]:[info] transfer: cars_xfer.c[220] [admin]: ftp dir of repository
ftp-repo requested
7 [890]:[debug] transfer: cars_xfer_util.c[2056] [admin]: ftp get dir for
repos ftp-repo
7 [890]:[debug] transfer: cars_xfer_util.c[2068] [admin]: initializing curl
7 [890]:[debug] transfer: cars_xfer_util.c[2079] [admin]: full url is
ftp://172.22.51.12/
7 [890]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing curl
7 [890]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12/ftp
7 [890]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 19
7 [890]:[debug] transfer: cars_xfer.c[268] [admin]: freed file list
ftp

Arne Bier · ‎05-06-2024

What FTP server software are you using?

Can you ping the FTP server from the ISE CLI? (if ICMP is allowed)

Run a tcpdump on the ISE node and then try the show repo command. Does the tcpdump show that you are getting a TCP ACK from the FTP server?

If the TCP stream looks ok, then it must be some compatibility setting in the FTP server - try setting the FTP server to "unix" mode or suchlike. Have you confirmed that you can browse the FTP URL with other apps like WinSCP?

akintundeoloyede11 · ‎05-07-2024

Hello

I am able to ping the Ftp server from the ISE CLI, also I am able to do a
validation from GUI, meaning there is a handshake between the ISE and Ftp
server. However i can't see the files uploaded to ftpserver
each time I run the *sh repository command. Any clue on what I am doing
wrong? Please help.*

XP-ISE-02/admin# ping 172.22.51.12
PING 172.22.51.12 (172.22.51.12) 56(84) bytes of data.
64 bytes from 172.22.51.12: icmp_seq=1 ttl=64 time=0.745 ms
64 bytes from 172.22.51.12: icmp_seq=2 ttl=64 time=0.630 ms
64 bytes from 172.22.51.12: icmp_seq=3 ttl=64 time=0.387 ms
64 bytes from 172.22.51.12: icmp_seq=4 ttl=64 time=20.9 ms

XP-ISE-02/admin# sh repository ftp-repo
6 [44829]:[info] transfer: cars_xfer.c[220] [admin]: ftp dir of repository
ftp-repo requested
7 [44829]:[debug] transfer: cars_xfer_util.c[2056] [admin]: ftp get dir for
repos ftp-repo
7 [44829]:[debug] transfer: cars_xfer_util.c[2068] [admin]: initializing
curl
7 [44829]:[debug] transfer: cars_xfer_util.c[2079] [admin]: full url is
ftp://172.22.51.12/
7 [44829]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing
curl
7 [44829]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12/ftp
7 [44829]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 19
7 [44829]:[debug] transfer: cars_xfer.c[268] [admin]: freed file list
ftp

--- 172.22.51.12 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.387/5.673/20.933/8.811 ms

akintundeoloyede11 · ‎05-07-2024

Sorry i missed this:

What FTP server software are you using? I am using Linux machine as my ftpServer

Torbjørn · ‎05-07-2024

Could the path be wrong? Could you try to set the repo to "ftp://172.22.51.12:/" instead of "ftp://172.22.51.12:/ftp"?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

akintundeoloyede11 · ‎05-08-2024

See the error i have now, i have changed path as advise, this path looks
like the root path,

XP-ISE-02/admin(config)# exit
XP-ISE-02/admin# debug transfer 7
XP-ISE-02/admin# show repository ftp_ise
6 [27330]:[info] transfer: cars_xfer.c[220] [admin]: ftp dir of repository
ftp_ise requested
7 [27330]:[debug] transfer: cars_xfer_util.c[2056] [admin]: ftp get dir for
repos ftp_ise
7 [27330]:[debug] transfer: cars_xfer_util.c[2068] [admin]: initializing
curl
*7 [27330]:[debug] transfer: cars_xfer_util.c[2079] [admin]: full url is
ftp://172.22.51.12:/*
7 [27330]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing
curl
7 [27330]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12:/RADIUS2024_05_08_04_03_21.tar.gpg
7 [27330]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 0
7 [27330]:[debug] transfer: cars_xfer_util.c[2005] [admin]: res:
0-----filetime RADIUS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:26 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2011] [admin]: filetime
RADIUS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:26 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2015] [admin]: filesize
RADIUS2024_05_08_04_03_21.tar.gpg: 1195 bytes
7 [27330]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing
curl
7 [27330]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12:/TACACS2024_05_08_04_03_21.tar.gpg
7 [27330]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 0
7 [27330]:[debug] transfer: cars_xfer_util.c[2005] [admin]: res:
0-----filetime TACACS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:27 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2011] [admin]: filetime
TACACS2024_05_08_04_03_21.tar.gpg: Wed May 8 05:03:27 2024
7 [27330]:[debug] transfer: cars_xfer_util.c[2015] [admin]: filesize
TACACS2024_05_08_04_03_21.tar.gpg: 665 bytes
7 [27330]:[debug] transfer: cars_xfer_util.c[1967] [admin]: initializing
curl
*7 [27330]:[debug] transfer: cars_xfer_util.c[1980] [admin]: full url is
ftp://172.22.51.12:/ftp*
7 [27330]:[debug] transfer: cars_xfer_util.c[2001] [admin]: res: 19
7 [27330]:[debug] transfer: cars_xfer.c[268] [admin]: freed file list
RADIUS2024_05_08_04_03_21.tar.gpg
TACACS2024_05_08_04_03_21.tar.gpg
ftp
XP-ISE-02/admin#
[image: image.png]

ammahend · ‎05-06-2024

lot of good advice, if it still dosen't work, depending on version, you also have "localdisk management" option from where you can upload and download files to ISE

-hope this helps-

davidgfriedman · ‎05-07-2024

Could there be a firewall in between, blocking the ephemeral ports?

akintundeoloyede11 · ‎05-07-2024

All necessary permission granted on firewall

Arne Bier · ‎05-07-2024

In your original post, your URL was

ftp://172.22.51.12

Depending on how the Linux FTP server handles the user login, it might not be setting the absolute path of the directory in question.

Let's say the user account has /home/ftpuser assigned to it in /etc/passwd

If you login using another client that works, where does the user land? In a chroot situation (e.g in root / ) or in their absolute directory of /home/ftpuser, or even somewhere else, hard coded by the FTP server config (e.g. /home/ftp/ise) ?

I have found that I have had to configure absolute path into the ISE repo URL statement - without some path suffix, you are reliant on the FTP server to place the user in the correct directory.

Try this URL in your ISE configuration (no trailing /

ftp://172.22.51.12/home/ftpuser

akintundeoloyede11 · ‎05-08-2024

Hello arne

See my config on the linux server for ftp setup

[root@redhattemplate ftpuser]# cd ftp
[root@redhattemplate ftp]# ls
ise-patchbundle-2.7.0.356-Patch10-23082414.SPA.x86_64.tar.gz
[root@redhattemplate ftp]# pwd
/home/ftpuser/ftp
[root@redhattemplate ftp]#
[root@redhattemplate ftp]# mkdir /ftp
[root@redhattemplate ftp]# cp ise-patchbundle-2.7.0.356-Patch10-23082414.SPA.x86_64.tar.gz /ftp
[root@redhattemplate ftp]# chown ftpuser:ftpuser /ftp
[root@redhattemplate ftp]# chmod 755 /ftp
[root@redhattemplate ftp]# cd /ftp
[root@redhattemplate ftp]# ls
ise-patchbundle-2.7.0.356-Patch10-23082414.SPA.x86_64.tar.gz
[root@redhattemplate ftp]#

I have change path as advised but see error message.

P-ISE-02/admin# sh repository ftp_ise
6 [37892]:[info] transfer: cars_xfer.c[220] [admin]: ftp dir of repository ftp_ise requested
7 [37892]:[debug] transfer: cars_xfer_util.c[2056] [admin]: ftp get dir for repos ftp_ise
7 [37892]:[debug] transfer: cars_xfer_util.c[2068] [admin]: initializing curl
7 [37892]:[debug] transfer: cars_xfer_util.c[2079] [admin]: full url is ftp://172.22.51.12/home/ftpuser/
% Error: Repository ftp_ise could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).
3 [37892]:[error] transfer: cars_xfer_util.c[2096] [admin]: curl error: Access denied to remote resource
% Error reading directory on remote server

Will be glad to use other option to carry out this task, pls share a resource if there is any since ftp seems not doable in my enviroment.notr i have tried, sftp winscp still no success.

Arne Bier · ‎05-08-2024

It's helpful to see your ISE CLI configuration (show run) together with any attempts of the show repo command. In your previous reply you added the ftp directory to /home/ftpuser - have you tried modifying the ISE URL from /home/ftpuser to /home/ftpuser/ftp ?

In the reply above, it looks like you can browse the root directory. Keep modifying the ISE URL until you hit the ftp directory containing your files.

Alternatively, you can patch an ISE node via the Admin GUI (Maintenance menu) - but that will patch ALL the nodes - no way to stop the process once it has started. Also, @ammahend mentioned that you can upload a file to the local node's disk:/ repository via the admin GUI, but only in newer versions of ISE 3.x (you seem to be running ISE 2.7)

akintundeoloyede11 · ‎05-09-2024

See error message after following your advise, issue persist

P-ISE-02/admin# 6 [8882]:[info] transfer: cars_xfer.c[220] [system]: ftp dir of repository ftp_ise requ ested
7 [8882]:[debug] transfer: cars_xfer_util.c[2056] [system]: ftp get dir for repos ftp_ise
7 [8882]:[debug] transfer: cars_xfer_util.c[2068] [system]: initializing curl
7 [8882]:[debug] transfer: cars_xfer_util.c[2079] [system]: full url is ftp://172.22.51.12/home/ftpuser/ ftp/
3 [8882]:[error] transfer: cars_xfer_util.c[2096] [system]: curl error: Access denied to remote resource
6 [8882]:[info] transfer: cars_xfer.c[220] [system]: ftp dir of repository ftp_ise requested
7 [8882]:[debug] transfer: cars_xfer_util.c[2056] [system]: ftp get dir for repos ftp_ise
7 [8882]:[debug] transfer: cars_xfer_util.c[2068] [system]: initializing curl
7 [8882]:[debug] transfer: cars_xfer_util.c[2079] [system]: full url is ftp://172.22.51.12/home/ftp/
3 [8882]:[error] transfer: cars_xfer_util.c[2096] [system]: curl error: Access denied to remote resource
6 [8882]:[info] transfer: cars_xfer.c[220] [system]: ftp dir of repository ftp_ise requested
7 [8882]:[debug] transfer: cars_xfer_util.c[2056] [system]: ftp get dir for repos ftp_ise
7 [8882]:[debug] transfer: cars_xfer_util.c[2068] [system]: initializing curl
7 [8882]:[debug] transfer: cars_xfer_util.c[2079] [system]: full url is ftp://172.22.51.12/ftp/
7 [8882]:[debug] transfer: cars_xfer_util.c[1967] [system]: initializing curl
7 [8882]:[debug] transfer: cars_xfer_util.c[1980] [system]: full url is ftp://172.22.51.12/ftp/ise-patch bundle-2.4.0.357-Patch14-21041509.SPA.x86_64 (1).tar.gz
7 [8882]:[debug] transfer: cars_xfer_util.c[2001] [system]: res: 0
7 [8882]:[debug] transfer: cars_xfer_util.c[2005] [system]: res: 0-----filetime ise-patchbundle-2.4.0.35 7-Patch14-21041509.SPA.x86_64 (1).tar.gz: Fri Jul 1 18:42:25 2022
7 [8882]:[debug] transfer: cars_xfer_util.c[2011] [system]: filetime ise-patchbundle-2.4.0.357-Patch14-2 1041509.SPA.x86_64 (1).tar.gz: Fri Jul 1 18:42:25 2022
7 [8882]:[debug] transfer: cars_xfer_util.c[2015] [system]: filesize ise-patchbundle-2.4.0.357-Patch14-2 1041509.SPA.x86_64 (1).tar.gz: 4351901735 bytes