Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2635
Views
0
Helpful
5
Replies

ISE 1.4 sh repository fails with sftp read error

Go to solution
ssokolic
Cisco Employee
Cisco Employee

‎08-06-2018 08:07 AM

Hi All,

 

I'm getting an sftp read error when  attempting to perform a sh repository <repo name>

 

epnm-ise/admin# sh repository ftpuser
6 [14999]:[info] transfer: cars_xfer.c[210] [admin]: sftp dir of repository ftpuser requested
6 [14999]:[info] transfer: cars_xfer_util.c[2184] [admin]: resolved server to 166.34.96.96
7 [14999]:[debug] transfer: sftp_handler.c[795] [admin]: Running sftp command: 166.34.96.96 ftpuser *** /Users/ftpuser/ ls -l /Users/ftpuser/
6 [14999]:[info] transfer: sftp_handler.c[437] [admin]: DEBUG: local user UID: 0 sftp_run_parent FD: 5 remote host: 166.34.96.96 remote user: ftpuser command: ls -l /Users/ftpuser/
7 [15001]:[debug] transfer: sftp_handler.c[164] [admin]: Executing SFTP command: 0 admin /usr/bin/sftp -oIdentityFile=/home/admin/.ssh/id_rsa -oUserKnownHostsFile=/home/admin/.ssh/known_hosts ftpuser@166.34.96.96
3 [14999]:[error] transfer: sftp_handler.c[262] [admin]: sftp_read Error: read failed
7 [14999]:[debug] transfer: sftp_handler.c[685] [admin]: sftp parent status -306
% SSH connect error
epnm-ise/admin#

 

I can connect to the sftp server when I do so from other applications.  I can ssh to the server with the user:

 

epnm-ise/admin# ssh 166.34.96.96 ftpuser
Password:
Password:
Last login: Mon Jul 30 16:34:14 2018
SSOKOLIC-M-70ZH:~ ftpuser$
SSOKOLIC-M-70ZH:~ ftpuser$
SSOKOLIC-M-70ZH:~ ftpuser$
SSOKOLIC-M-70ZH:~ ftpuser$ ls -la
total 10589840
drwxrwxrwx  15 root      admin         480 Aug  6 09:33 .
drwxr-xr-x   7 root      admin         224 Jul 26 16:48 ..
-rw-r--r--@  1 ftpuser   admin        8196 Jul 30 16:41 .DS_Store
-rw-------   1 ftpuser   admin          21 Jul 27 11:13 .bash_history
drwxr-xr-x   3 ftpuser   admin          96 Jul 30 16:36 .cisco
drwxr-xr-x   3 ssokolic  admin          96 Aug  6 09:35 .ssh
drwxr-xr-x  12 ftpuser   admin         384 Jul 30 16:41 .wdc
drwx------   2 ftpuser   admin          64 Jul 30 16:35 Desktop
drwxr-xr-x   2 ftpuser   admin          64 Jul 30 16:36 Documents
drwx------   2 ftpuser   admin          64 Jul 30 16:34 Downloads
drwxr-xr-x@ 34 ftpuser   admin        1088 Jul 30 16:38 Library
drwx------+  3 ftpuser   admin          96 Jul 30 16:39 Movies
drwx------+  3 ftpuser   admin          96 Jul 30 16:39 Music
drwx------+  3 ftpuser   admin          96 Jul 30 16:39 Pictures
-rw-r--r--   1 ssokolic  staff  5419782396 Jul 26 16:12 ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz
SSOKOLIC-M-70ZH:~ ftpuser$

 

Any ideas?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ssokolic

‎08-06-2018 04:30 PM

After testing my own ISE 1.4 (with Patch 12), I am getting the same errors with my SFTP server on a Ubuntu 16.04.3 LTS. The root cause on mine is "no matching cipher found" between client and server, and it's hitting CSCux88538 and the potential workarounds are in the bug info.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-06-2018 11:14 AM

Perhaps you have previously generated a public key pair. Please try deleting that key pair via CLI "crypto key delete rsa" and try again.

0 Helpful

Go to solution
ssokolic
Cisco Employee
Cisco Employee
In response to hslai

‎08-06-2018 11:26 AM

Didn't help. Same error as before.

0 Helpful

Go to solution
ssokolic
Cisco Employee
Cisco Employee
In response to ssokolic

‎08-06-2018 02:43 PM

I tried creating a local repository then doing a copy from the server repository. This basically failed for the same reason but in addition to the sftp read fail it also indicates no such file or directory. Am I not specifying the copy url correctly? :

 

epnm-ise/admin# conf t                                                                         Enter configuration commands, one per line.  End with CNTL/Z.
epnm-ise/admin(config)# repository local
epnm-ise/admin(config-Repository)# url disk:/
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
epnm-ise/admin(config-Repository)# exit
epnm-ise/admin(config)# exit
epnm-ise/admin# copy sftp://166.34.96.96//Users/ftpuser/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz disk:/
Username: ftpuser
Password:
6 [30114]:[info] transfer: cars_xfer.c[281] [admin]: sftp copy in of sftp://166.34.96.96//Users/ftpuser/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz requested
6 [30114]:[info] transfer: cars_xfer_util.c[729] [admin]: resolved server to 166.34.96.96
7 [30114]:[debug] transfer: cars_xfer_util.c[736] [admin]: copying //Users/ftpuser/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz from remote server: 166.34.96.96
7 [30114]:[debug] transfer: sftp_handler.c[869] [admin]: Running sftp command: 166.34.96.96 ftpuser *** //Users/ftpuser/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz get //Users/ftpuser/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz /localdisk/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz
6 [30114]:[info] transfer: sftp_handler.c[437] [admin]: DEBUG: local user UID: 0 sftp_run_parent FD: 6 remote host: 166.34.96.96 remote user: ftpuser command: get //Users/ftpuser/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz /localdisk/ise-upgradebundle-1.3.x-and-1.4.x-to-2.0.0.306.x86_64.tar.gz
7 [30130]:[debug] transfer: sftp_handler.c[164] [admin]: Executing SFTP command: 0 admin /usr/bin/sftp -oIdentityFile=/home/admin/.ssh/id_rsa -oUserKnownHostsFile=/home/admin/.ssh/known_hosts ftpuser@166.34.96.96
3 [30114]:[error] transfer: sftp_handler.c[262] [admin]: sftp_read Error: read failed
7 [30114]:[debug] transfer: sftp_handler.c[685] [admin]: sftp parent status -306
3 [30114]:[error] transfer: sftp_handler.c[888] [admin]: SFTP get error: No such file or directory
% Internal error during command execution
epnm-ise/admin#

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ssokolic

‎08-06-2018 04:30 PM

After testing my own ISE 1.4 (with Patch 12), I am getting the same errors with my SFTP server on a Ubuntu 16.04.3 LTS. The root cause on mine is "no matching cipher found" between client and server, and it's hitting CSCux88538 and the potential workarounds are in the bug info.

0 Helpful

Go to solution
ssokolic
Cisco Employee
Cisco Employee
In response to hslai

‎08-07-2018 12:25 PM

Hi Hsing-Tsu,

 

When I run just the ssh command from the ISE server I see the following:

 

pnm-ise/admin# ssh 166.34.96.96 ftpuser port 22
ssh_exchange_identification: read: Connection reset by peer
epnm-ise/admin# ssh 166.34.96.96 ftpuser port 22
no matching cipher found: client aes256-cbc,aes128-cbc,3des-cbc server chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
epnm-ise/admin#

 

However, When I run ssh -Q cipher on my mac it shows matching ciphers are in effect:

 

[Tue Aug 07 14:20:07 ssokolic@SSOKOLIC-M-70ZH:/etc/ssh ] $ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
[Tue Aug 07 14:20:21 ssokolic@SSOKOLIC-M-70ZH:/etc/ssh ] $

 

Do you think this is still the CSCux88538 issue?

0 Helpful
Customers Also Viewed These Support Documents