Solved: Re: ISE - FIPS Disabled but SSH using FIPS!??

R M C · ‎12-24-2019

Merry Christmas Everyone!

I have a quick query...

I have a pair of ISE nodes running 2.4 Patch 10 that seems to insist on trying to use FIPS for SSH/SFTP which I believe is causing the connecttion to fail as the remote server is not FIPS capable.

FIPS Mode is disabled via the GUI, though I can't see where to change this on the CLI.

Any help would be appreciated, below is the error when testing SSH. This is currently preventing me upgrading to 2.6. I have another pair of ISE boxes, running the same version/patch which do not experience this issue.

ise01/admin# ssh <serverIP> diserepo
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh_dispatch_run_fatal: Connection to <serverIP> port 22: error in libcrypto

Many thanks

Mark

Jason Kunst · ‎12-24-2019

@Colby LeMaire wrote:

Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.

agree if that fails might be a bug, check with TAC

View solution in original post

Colby LeMaire · ‎12-24-2019

Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.

Jason Kunst · ‎12-24-2019

@Colby LeMaire wrote:

Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.

agree if that fails might be a bug, check with TAC

R M C · ‎12-24-2019

Thanks Colby and Jason

I had try restarting the services and then when that didn't fix it a hard boot but alas neither worked. It looks like a call to TAC. I'll update with the findings.

Thanks again and have a great Christmas.

Mark

EdoukouMelaine81749 · ‎04-27-2020

Hello @R M C, any findings here? think in advance

R M C · ‎04-27-2020

Hi Melaine

Apologies for the late follow up, TAC found a bug in 2.6 patch 4 and have been able to replicate, it is apparently fixed in 2.6 patch 5 though I've yet to obtain downtime to test, due to current restrictions. As soon as I'm able to, I'll post an update.

Many thanks

Mark

pnowikow · ‎05-26-2020

This fails for me in 2.6 patch 6. I'm opening a case now.

R M C · ‎07-08-2020

It is still failing for me in 2.6 patch 6 too. TAC are still investigating.

PSM · ‎08-20-2020

Same problem for me as well in 2.6 patch 7. Have you found solution ?

Greg Gibbs · ‎08-21-2020

There are a couple of bugs that could be involved here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum13116

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt88460

I would suggest running the following commands from the CLI, capturing the output from the console, and opening a TAC case to investigate further.

debug transfer 7
debug copy 7
show repository <reponame>

R M C · ‎08-24-2020

Hi Pradeep

My case is still open, apparently it is a 'feature' that was enabled. They are currently in discussions as to whether this will be disabled in a future release, though that's still with the dev team. Unusually, it doesn't seem to affect SFTP....

I'll post an update as soon as I hear further.
Thanks

R M C · ‎03-10-2021

I ended up closing the TAC case, I was no longer able to replicate the issue, I'm not sure if the server team had change encryption ciphers, they certainly hadn't enabled FIPS compliance. But it is now working....

Below is an explanation as to how the repository lookup worked though SSH didn't, I hope it helps someone.

The sh repo command works because it activates SFTP protocol in its underlying script, unlike the SSH command itself (e.g. SSH to Microsoft server will use Microsoft server ciphers, sh repo <name> will SFTP to SFTP server and use the ciphers that are available in that application’s software/version level – again both use-cases being the same L3 address).

davsnet2000 · ‎10-27-2021

RMC, Do you remember the TAC case number? I'm running v2.7 p4 and I have this problem when trying to set up FIPS mode for a STIG.When I try to enable FIPS I get the same error. No matter what boxes I deselect it will never go enabled.

Error Message: 'The following "Allowed Protocols" are configured to use non-FIPS compliant protocols. FIPS can not be enabled until these "Allowed Protocols" are deleted or they are edited to use only FIPS compliant protocols.'

tucker1231 · ‎01-14-2022

I had the same issue. I disabled MD5 hash and was able to enable FIPS. But, I now can't SSH into ISE since I turning FIPS on.

R M C · ‎06-23-2022

Hi Davsnet

Apologies for the delay, my issue was the opposite, I had FIPS disabled however the connection was defaulting to FIPS enabled. The issue appear to resolve itself unfortunately and I could no longer replicate.

Apologies.

ISE - FIPS Disabled but SSH using FIPS!??

XE SD-WAN :Config に platform ipsec fips-mode を含む機器へ Template を適用できない

Errdisable recovery: Réactiver automatiquement un port err-disabled

【原创】ASA AAA with ISE using TACACS+ 命令授权问题一例

Troubleshoot Cisco ISE

Smart Licensing Using Policy の Online 方式でライセンスを適用する方法