cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8731
Views
5
Helpful
14
Replies

ISE - FIPS Disabled but SSH using FIPS!??

R M C
Level 1
Level 1

Merry Christmas Everyone!

 

I have a quick query...

I have a pair of ISE nodes running 2.4 Patch 10 that seems to insist on trying to use FIPS for SSH/SFTP which I believe is causing the connecttion to fail as the remote server is not FIPS capable.

 

FIPS Mode is disabled via the GUI, though I can't see where to change this on the CLI.

 

Any help would be appreciated, below is the error when testing SSH.  This is currently preventing me upgrading to 2.6.  I have another pair of ISE boxes, running the same version/patch which do not experience this issue.

 

ise01/admin# ssh <serverIP> diserepo
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh_dispatch_run_fatal: Connection to <serverIP> port 22: error in libcrypto

 

Many thanks

 

Mark

1 Accepted Solution

Accepted Solutions


@Colby LeMaire wrote:

Have you tried to stop and restart the ISE services?  Or maybe a reboot of the node?  If a reboot doesn't resolve the issue, then I would recommend opening a TAC case.  There is no option on the CLI to disable FIPS.  It sounds like FIPS is disabled but for some reason, SSH didn't get the message.  That's why I think a reboot may help.


agree if that fails might be a bug, check with TAC

View solution in original post

14 Replies 14

Colby LeMaire
VIP Alumni
VIP Alumni

Have you tried to stop and restart the ISE services?  Or maybe a reboot of the node?  If a reboot doesn't resolve the issue, then I would recommend opening a TAC case.  There is no option on the CLI to disable FIPS.  It sounds like FIPS is disabled but for some reason, SSH didn't get the message.  That's why I think a reboot may help.


@Colby LeMaire wrote:

Have you tried to stop and restart the ISE services?  Or maybe a reboot of the node?  If a reboot doesn't resolve the issue, then I would recommend opening a TAC case.  There is no option on the CLI to disable FIPS.  It sounds like FIPS is disabled but for some reason, SSH didn't get the message.  That's why I think a reboot may help.


agree if that fails might be a bug, check with TAC

Thanks Colby and Jason

 

I had try restarting the services and then when that didn't fix it a hard boot but alas neither worked.  It looks like a call to TAC.  I'll update with the findings. 

 

Thanks again and have a great Christmas. 

 

Mark

Hello @R M C, any findings here? think in advance

Hi Melaine

Apologies for the late follow up, TAC found a bug in 2.6 patch 4 and have been able to replicate, it is apparently fixed in 2.6 patch 5 though I've yet to obtain downtime to test, due to current restrictions.  As soon as I'm able to, I'll post an update.

 

Many thanks

 

Mark

This fails for me in 2.6 patch 6.  I'm opening a case now.

It is still failing for me in 2.6 patch 6 too.  TAC are still investigating.

Same problem for me as well in 2.6 patch 7. Have you found solution ?

There are a couple of bugs that could be involved here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum13116 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt88460 

 

I would suggest running the following commands from the CLI, capturing the output from the console, and opening a TAC case to investigate further.

debug transfer 7
debug copy 7
show repository <reponame>

Hi Pradeep

My case is still open, apparently it is a 'feature' that was enabled. They are currently in discussions as to whether this will be disabled in a future release, though that's still with the dev team. Unusually, it doesn't seem to affect SFTP....

I'll post an update as soon as I hear further.
Thanks

R M C
Level 1
Level 1

I ended up closing the TAC case, I was no longer able to replicate the issue, I'm not sure if the server team had change encryption ciphers, they certainly hadn't enabled FIPS compliance.  But it is now working....

 

Below is an explanation as to how the repository lookup worked though SSH didn't, I hope it helps someone.

 

The sh repo command works because it activates SFTP protocol in its underlying script, unlike the SSH command itself (e.g. SSH to Microsoft server will use Microsoft server ciphers, sh repo <name> will SFTP to SFTP server and use the ciphers that are available in that application’s software/version level – again both use-cases being the same L3 address).

RMC,  Do you remember the TAC case number?  I'm running v2.7 p4 and I have this problem when trying to set up FIPS mode for a STIG.When I try to enable FIPS I get the same error.  No matter what boxes I deselect it will never go enabled.

 

Error Message: 'The following "Allowed Protocols" are configured to use non-FIPS compliant protocols. FIPS can not be enabled until these "Allowed Protocols" are deleted or they are edited to use only FIPS compliant protocols.'

I had the same issue.  I disabled MD5 hash and was able to enable FIPS.  But, I now can't SSH into ISE since I turning FIPS on.

Hi Davsnet

 

Apologies for the delay, my issue was the opposite, I had FIPS disabled however the connection was defaulting to FIPS enabled.  The issue appear to resolve itself unfortunately and I could no longer replicate.

 

Apologies.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: