12-24-2019 07:37 AM
Merry Christmas Everyone!
I have a quick query...
I have a pair of ISE nodes running 2.4 Patch 10 that seems to insist on trying to use FIPS for SSH/SFTP which I believe is causing the connecttion to fail as the remote server is not FIPS capable.
FIPS Mode is disabled via the GUI, though I can't see where to change this on the CLI.
Any help would be appreciated, below is the error when testing SSH. This is currently preventing me upgrading to 2.6. I have another pair of ISE boxes, running the same version/patch which do not experience this issue.
ise01/admin# ssh <serverIP> diserepo
Operating in CiscoSSL FIPS mode
FIPS mode initialized
ssh_dispatch_run_fatal: Connection to <serverIP> port 22: error in libcrypto
Many thanks
Mark
Solved! Go to Solution.
12-24-2019 12:25 PM
@Colby LeMaire wrote:
Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.
agree if that fails might be a bug, check with TAC
12-24-2019 08:08 AM
Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.
12-24-2019 12:25 PM
@Colby LeMaire wrote:
Have you tried to stop and restart the ISE services? Or maybe a reboot of the node? If a reboot doesn't resolve the issue, then I would recommend opening a TAC case. There is no option on the CLI to disable FIPS. It sounds like FIPS is disabled but for some reason, SSH didn't get the message. That's why I think a reboot may help.
agree if that fails might be a bug, check with TAC
12-24-2019 06:03 PM
Thanks Colby and Jason
I had try restarting the services and then when that didn't fix it a hard boot but alas neither worked. It looks like a call to TAC. I'll update with the findings.
Thanks again and have a great Christmas.
Mark
04-27-2020 02:24 AM
04-27-2020 03:08 AM
Hi Melaine
Apologies for the late follow up, TAC found a bug in 2.6 patch 4 and have been able to replicate, it is apparently fixed in 2.6 patch 5 though I've yet to obtain downtime to test, due to current restrictions. As soon as I'm able to, I'll post an update.
Many thanks
Mark
05-26-2020 02:53 PM
This fails for me in 2.6 patch 6. I'm opening a case now.
07-08-2020 10:14 AM
It is still failing for me in 2.6 patch 6 too. TAC are still investigating.
08-20-2020 06:39 AM
Same problem for me as well in 2.6 patch 7. Have you found solution ?
08-21-2020 12:19 AM
There are a couple of bugs that could be involved here:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum13116
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt88460
I would suggest running the following commands from the CLI, capturing the output from the console, and opening a TAC case to investigate further.
debug transfer 7 debug copy 7 show repository <reponame>
08-24-2020 04:13 AM
03-10-2021 10:49 AM
I ended up closing the TAC case, I was no longer able to replicate the issue, I'm not sure if the server team had change encryption ciphers, they certainly hadn't enabled FIPS compliance. But it is now working....
Below is an explanation as to how the repository lookup worked though SSH didn't, I hope it helps someone.
The sh repo command works because it activates SFTP protocol in its underlying script, unlike the SSH command itself (e.g. SSH to Microsoft server will use Microsoft server ciphers, sh repo <name> will SFTP to SFTP server and use the ciphers that are available in that application’s software/version level – again both use-cases being the same L3 address).
10-27-2021 02:35 PM
RMC, Do you remember the TAC case number? I'm running v2.7 p4 and I have this problem when trying to set up FIPS mode for a STIG.When I try to enable FIPS I get the same error. No matter what boxes I deselect it will never go enabled.
Error Message: 'The following "Allowed Protocols" are configured to use non-FIPS compliant protocols. FIPS can not be enabled until these "Allowed Protocols" are deleted or they are edited to use only FIPS compliant protocols.'
01-14-2022 04:34 AM
I had the same issue. I disabled MD5 hash and was able to enable FIPS. But, I now can't SSH into ISE since I turning FIPS on.
06-23-2022 04:58 AM
Hi Davsnet
Apologies for the delay, my issue was the opposite, I had FIPS disabled however the connection was defaulting to FIPS enabled. The issue appear to resolve itself unfortunately and I could no longer replicate.
Apologies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide