Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10686
Views
32
Helpful
8
Replies

ISE 2.7 Patch 1 SFTP Repository SSH issue

Go to solution
Pierre44120
Level 1
Level 1

‎09-09-2020 05:19 AM

Hello,

 

have created a new SFTP repository on a ISE 2.7 Patch 1 in GUI.

And I get the error below when I try to validate the repository.  What did I miss for the config?

Repository validation failed due to error - SSH connect error. Verify configuration. In case Backup was restored on different setup, please re-configure the repository passwords (Expected behaviour)

 

Below the SFTP server's logs (Windows 2K19 OpenSSH works fine with another SFTP Backup for an other app ) : 
13484 2020-09-09 14:15:45.563 debug1: inetd sockets after dupping: 4, 4
13484 2020-09-09 14:15:45.564 Connection from 10.10.9.13 port 15115 on 10.10.9.4 port 22
13484 2020-09-09 14:15:45.566 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
13484 2020-09-09 14:15:45.567 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6 PKIX[11.0]
13484 2020-09-09 14:15:45.567 debug1: match: OpenSSH_7.6 PKIX[11.0] pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
13484 2020-09-09 14:15:45.668 debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
13484 2020-09-09 14:15:45.668 debug1: SSH2_MSG_KEXINIT sent [preauth]
13484 2020-09-09 14:15:45.668 debug1: SSH2_MSG_KEXINIT received [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: algorithm: curve25519-sha256 [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: host key algorithm: ssh-rsa [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: client->server cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none [preauth]
13484 2020-09-09 14:15:45.668 debug1: kex: server->client cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none [preauth]
13484 2020-09-09 14:15:45.668 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
13484 2020-09-09 14:15:45.694 debug1: rekey out after 4294967296 blocks [preauth]
13484 2020-09-09 14:15:45.694 debug1: SSH2_MSG_NEWKEYS sent [preauth]
13484 2020-09-09 14:15:45.694 debug1: Sending SSH2_MSG_EXT_INFO [preauth]
13484 2020-09-09 14:15:45.694 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
13484 2020-09-09 14:15:45.695 Connection closed by 10.10.9.13 port 15115 [preauth]
13484 2020-09-09 14:15:45.696 debug1: do_cleanup [preauth]
13484 2020-09-09 14:15:45.697 debug1: monitor_read_log: child log fd closed
13484 2020-09-09 14:15:45.697 debug1: do_cleanup
13484 2020-09-09 14:15:45.697 debug1: Killing privsep child 11252

3 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-09-2020 06:52 AM

Did you add the server host key to the ISE server CLI using the command "crypto host_key add"?

View solution in original post

8 Replies 8

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-09-2020 06:52 AM

Did you add the server host key to the ISE server CLI using the command "crypto host_key add"?

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-24-2021 08:14 AM

FYSA I also had a similar issue with ISE2.7p2.  The fix was re-adding the host key via CLI as @Colby LeMaire suggested.

Go to solution
NgTurngHui7950
Level 1
Level 1
In response to Mike.Cifelli

‎08-12-2021 12:09 AM

Hi Mike, I tried your method but it did not work. Is there anything else I can explore?

 

Best Regards,

Ng Turng Hui

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to NgTurngHui7950

‎08-12-2021 12:29 AM

Hi @NgTurngHui7950,

Have you executed 'crypto host_key add' on same server you are trying to access it from? In case of multiple ISE nodes, you need to repeat command on all nodes from which you are attempting to read repository.

BR,

Milos

Go to solution
NgTurngHui7950
Level 1
Level 1
In response to Milos_Jovanovic

‎08-12-2021 02:30 AM

Hi Milo,

 

Yes i did add Crypto host_key add host <Hostname of SFTP Server> on the exec mode.

 

This was working fine before I upgrade the Cisco ISE from version 2.3.0 to 2.7.0 . I redo the entire process which is to remove the host_key from the CLI and remove the SFTP Server setting on the GUI, reboot the services, added the SFTP Server settings again and lastly added the host_key.

 

When i type "show repository <Repository Name>" , I am left with the following error.

"Repository sftprepo could not be accessed. In case Backup was restored on different setup, please re-configure the repository passwords (Expected behaviour). Failure occurred during request"

 

I am in a pickle here. This is just SFTP and is giving me so much problems. Do you have any idea what may be causing this?

 

Best Regards,

Ng Turng Hui

Go to solution
SydneyMarihoho54099
Level 1
Level 1
In response to NgTurngHui7950

‎05-05-2022 08:48 AM

Hi Ng Tung Hui

 

I have a similar problem and I would like to know if you managed to resolve your problem and how if you did? 

 

Thanks,

 

Sydney

Go to solution
Ng Turng Hui
Level 1
Level 1
In response to SydneyMarihoho54099

‎05-13-2022 10:00 PM

Hi Sydney,

 

How I resolve the issue is to upgrade the Cisco ISE to Version 2.7 Patch 4. There is a bug is Cisco Ise Version 2.7 which resulted in failure using SFTP. Hope this helps.

 

Best Regards,

Ng Turng Hui

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-12-2021 06:38 AM

You could try to look at logs on the server side, to try to understand something from there, if possible.

It looks you did everything you should. I would contact TAC as next step, as I can't recommend any reasonable troubleshooting step from here.

BR,

Milos

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents