12-30-2013 12:11 PM - edited 03-10-2019 09:13 PM
Hello,
I am having trouble copying my ISE 1.2 upgrade files to my local repositories.
Here is a cut and paste from my CLI on one of my ISE nodes after attemtping to copy from my workstation (running an SFTP server) to one of my ISE nodes.
XXX-ise-01/admin# Copy sftp://<My_SFTP_Server_IP_Address>/ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gz. disk:/
Username: Admin
Password:
% ERROR : Backup failed due to one of the following reasons
1. host-key option is not configured
2. host key is removed because of re-image
3. host key is removed from some other repository having same ip/hostname
% Please reconfigure the host-key option
% Error: Transfer failed
I have not configured anything with the "Host-Key" option.
I have googled and searched but can only find limited references to the "Host-key" command within Cisco. I have tried various forms of this on the ISE node with no luck.
I tried an FTP transfer but that did not work.
Any ideas?
Solved! Go to Solution.
12-30-2013 03:52 PM
You may want to try adding a this repository to your local configuration as an sftp server as that should start the host-key process.
Thanks,
Tarik Admani
*Please rate helpful posts*
12-30-2013 05:50 PM
HI Robert,
The other option is to configure SFTP repository and local repository in ISE from CLI and get it downloaded to local repository.
The example of configuring sftp repository with in ISE from CLI is as follows:
When configuring url sftp: in the submode, you must provide the host-key under repository configuration through CLI and the RSA fingerprint is added to the list of SSH known hosts.
To disable this function, use the no form of host-key host command in the submode.
Cisco ISE displays the following warning when you configure a secure ftp repository in the administration user interface in Administration > System > Maintenance > Repository > Add Repository.
The host key of the SFTP server must be added through the CLI by using the host-key option before this repository can be used.
A corresponding error is thrown in the Cisco ADE logs when you try to back up into a secure FTP repository without configuring the host-key.
Example 1
ise/admin# configure termainal
ise/admin(config)# repository myrepository
ise/admin(config-Repository)# url sftp://ise-pap
ise/admin(config-Repository)# host-key host ise-pap
host key fingerprint added
# Host ise-pap found: line 1 type RSA
2048 f2:e0:95:d7:58:f2:02:ba:d0:b8:cf:d5:42:76:1f:c6 ise-pap (RSA)
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#
Example 2
ise/admin# configure termainal
ise/admin(config)# repository myrepository
ise/admin(config-Repository)# url sftp://ise-pap
ise/admin(config-Repository)# no host-key host ise-pap
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#
12-30-2013 03:52 PM
You may want to try adding a this repository to your local configuration as an sftp server as that should start the host-key process.
Thanks,
Tarik Admani
*Please rate helpful posts*
12-30-2013 05:50 PM
HI Robert,
The other option is to configure SFTP repository and local repository in ISE from CLI and get it downloaded to local repository.
The example of configuring sftp repository with in ISE from CLI is as follows:
When configuring url sftp: in the submode, you must provide the host-key under repository configuration through CLI and the RSA fingerprint is added to the list of SSH known hosts.
To disable this function, use the no form of host-key host command in the submode.
Cisco ISE displays the following warning when you configure a secure ftp repository in the administration user interface in Administration > System > Maintenance > Repository > Add Repository.
The host key of the SFTP server must be added through the CLI by using the host-key option before this repository can be used.
A corresponding error is thrown in the Cisco ADE logs when you try to back up into a secure FTP repository without configuring the host-key.
Example 1
ise/admin# configure termainal
ise/admin(config)# repository myrepository
ise/admin(config-Repository)# url sftp://ise-pap
ise/admin(config-Repository)# host-key host ise-pap
host key fingerprint added
# Host ise-pap found: line 1 type RSA
2048 f2:e0:95:d7:58:f2:02:ba:d0:b8:cf:d5:42:76:1f:c6 ise-pap (RSA)
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#
Example 2
ise/admin# configure termainal
ise/admin(config)# repository myrepository
ise/admin(config-Repository)# url sftp://ise-pap
ise/admin(config-Repository)# no host-key host ise-pap
ise/admin(config-Repository)# exit
ise/admin(config)# exit
ise/admin#
01-02-2014 08:33 AM
Hello,
I configured the host-key option as you suggested and it apparently worked well. I still am having troubles transferring the upgrade file to the ISE local disk.
I am entering this command on the ISE CLI...
XXX-ISE-01/admin# copy sftp://SFTP_Server_IP_Address/ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gZ disk:/
The response I get from ISE is this...
XXX_ISE-01/admin# copy sftp://SFTP_Server_IP_Address/ise-upgradebundle-1.1.x-to-1.2.0.899.i386.tar.gZ disk:/
Username: AdminUserName
Password:
% Error: Transfer failed
(The SFTP_Server_IP_Address is the IP address of my desktop which is running an SFTP server. The file to be transferred is located on the root of the sftp server.)
There is about a 60 second pause from the point at which I enter my password and click "Enter" and the point at which it comes up with the "% Error: transfer failed" message.
After I attempt the file transfer I enter the "show repo local" command on the ISE CLI there is the file name shown but when I enter the "dir" command the file shows that it has a file size of 0 (zero).
I have no firewalls between my desktop SFTP server and the ISE node.
Any ideas?
01-02-2014 11:45 AM
I was wondering why the last character is capitalized. Also are you able to copy files from the disk file over to the same repository. I havent had any problems and I see in a seperate thread that the user gave other directions on how to transfer the file.
If you can open two ssh connection and try to run the following command to tail the logs:
"show logging system ade/ADE.log tail"
You should get some messaging behind the error you are receiving, for example I went to look for a file that did not exist (even though I am using ftp you should get the same error).
Here is when the transfer fails:
2014-01-02T13:41:22.506519-06:00 ise01 ADE-SERVICE[4786]: [30325]:[info] transfe
r: cars_xfer.c[264] [tadmani]: ftp copy in of ftp://172.16.249.1/test requested
2014-01-02T13:41:22.522470-06:00 ise01 ADE-SERVICE[4786]: [30325]:[error] transf
er: cars_xfer_util.c[349] [tadmani]: curl error: FTP: couldn't retrieve (RETR fa
iled) the specified file
2014-01-02T13:41:22.523040-06:00 ise01 ADE-SERVICE[4786]: [30325]:[error] copy:
cm_copy.c[1144] [tadmani]: local file disk:/ transfer from url ftp://172.16.249.
1/test failed retcode=-302
2014-01-02T13:41:22.527148-06:00 ise01 ADEOSShell[30325]: ADEAUDIT 3017, type=CO
PY, name=COPY IN FILE FAILED, username=tadmani, cause=Error while copying file f
rom remote system, adminipaddress=172.16.247.12, interface=CLI, detail=Disk file
disk:/ transfer from url ftp://172.16.249.1/test failed
Here is when login fails:
curl error: FTP: login denied
Here is some logging around a successful transfer -
2014-01-02T13:44:46.897499-06:00 ise01 ADE-SERVICE[4786]: [30766]:[info] transfe
r: cars_xfer.c[264] [tadmani]: ftp copy in of ftp://172.16.249.1/running-config
requested
2014-01-02T13:44:46.934972-06:00 ise01 ADEOSShell[30766]: ADEAUDIT 2042, type=CO
PY, name=COPY FILE, username=tadmani, cause=Copied a file, adminipaddress=172.16
.247.12, interface=CLI, detail=Copied disk file disk:/ from url ftp://172.16.249
.1/running-config successfully
Thanks,
Tarik Admani
*Please rate helpful posts*
01-02-2014 12:49 PM
Hello Tarik,
I have tried all these things without success. I am going to open a case with Cisco TAC. I will update this thread when I am successful.
Thank you,
Bob
01-07-2014 12:19 PM
Hello again Tarik,
I was still unsuccessful with my file transfer using SFTP. Because of time restraints I used FTP to get the file transferred.
One of the mistakes I was making was in my understanding of the CLI programming for the repository. First, to create a repository when upgrading to Version 1.2 you can only use the CLI to accomplish this. You cannot use the Create Repository location on the UI.
When creating a repo you will enter...
isebox01/admin(config)# repository SFTP
In the above line the SFTP does not refer to the protocol to be used at all. It simply is naming the repo.
isebox01/admin(config)# user cisco password plain C1sc0123
isebox01/admin(config)# url sftp:172.17.1.7
In the above line the protocol to be used is now named. It is sftp. If you wanted to use FTP you would have entered ftp here.
Thank you all for your help,
I hope this helps the next admin.
Bob
01-17-2014 01:04 PM
I was finally successful in creating a functioning SFTP repository. Here is what I had to do...
On my SFTP server on my workstation I deleted all my user accounts and created one new user.
Next. I went to the ISE UI and deleted the SFTP repository that I had been using.
Next. I went to the ISE GUI and deleted the same SFTP repo again.
Next. I created a new repo in the ISE GUI and pointed it at the SFTP server in my desktop workstation.
Next. I went to the ISE CLI and from the # prompt I added the crypto host-key add "IP_Address_of_workstation".
This finally got the job done.
Basically, I had to delete everything and re-enter it along with the crypto host-key add command.
I hope this helps someone!
Tarik, thank you for your help,
Bob
03-03-2016 10:15 AM
I am trying to add an SFTP Repository in ISE 2.0 patch 2. I create the repo in the GUI, then went to the CLI to add the host key. If I use hostname or IP Address I get the same error.
ISE/admin# crypto host_key add host sftp-server
7 [27143]:[debug] locks:file: lock.c[384] [admin]: obtained ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[390] [admin]: INVOKED: releasing ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[419] [admin]: released ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[384] [admin]: obtained ssh-pubkey lock
%host-key add failed
3 [27143]:[error] config:repository: crypto_cli.c[1310] [admin]: host-key add failed
7 [27143]:[debug] locks:file: lock.c[390] [admin]: INVOKED: releasing ssh-pubkey lock
7 [27143]:[debug] locks:file: lock.c[419] [admin]: released ssh-pubkey lock
As well, in ISE 2.0 you cannot put the key under the repo itself, it all under exec mode.
ISE/admin(config)# repository SFTP-BACKUP
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.
ISE/admin(config-Repository)# ?
Configure Repository:
do EXEC command
end Exit from configure mode
exit Exit from this submode
no Negate a command or set its defaults
url Configure Repository URL
user Configure repository username and password for access
Time and timezone are perfect. Anyone know why it is failing?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide