Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13338
Views
28
Helpful
21
Replies

ISE nodes unable to see SFTP repository

Go to solution
paynewj
Level 1
Level 1

‎12-16-2021 04:46 PM

Our ISE deployment consists of (4) nodes - (2) PANs and (2) PSNs - and only 1/4 can access the repository where the Log4J patch file is currently located.

I’ve recreated the repository via the ISE Admin console and the config deployed to all (4) of the nodes, but the only one that's able to connect and see the contents of the repository is our primary PAN. The secondary PAN can't connect, nor can the (2) PSNs in our deployment. 

I validated the repository in the GUI after it was created.

As mentioned, I was able to see the contents of the repo using the show repository command on our primary PAN, but received the following error when running the same command on all other nodes:

 

show repository ISE_Repo
% Error : Operation failed due to one of the following reasons
1. host key is not configured
2. host key is removed because of re-image
3. host key is removed from some other repository having same ip/hostname
% Please add the host key using the crypto host_key exec command
% Error: Repository ISE_Repo could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).

 

I've tried manually removing and then re-adding the repository and running the crypto host_key add host <host IP> command, but get the same result.

Any help would be greatly appreciated.

1 person had this problem
0 Helpful
21 Replies 21

Go to solution
Arne Bier
VIP
VIP
In response to rishisemwal

‎06-19-2022 03:42 AM

Don’t manage your repository configs via CLI. Make changes in the Admin UI because that will propagate the changes to all nodes in the deployment. The only thing you need to do on the CLI is to ensure that the crypto key is configured on every node on which you need to access that repo. 

0 Helpful

Go to solution
rishisemwal
Level 1
Level 1
In response to Arne Bier

‎06-19-2022 04:27 AM

Thanks for your response, I'm using CLI to add crypto key host only but response is showing as below, not showing[cid:024309ce-f287-4f05-a546-3f823932f22e] encrypted message.

# BEN-ISE/admin# crypto host_key add host 10.155.23.123
host key fingerprint added
Operating in CiscoSSL FIPS mode

#. I used following command to remove old key and reconfigure.


1. ssh delete host X.X.X.X

2. crypto host_key delete host X.X.X.X


Thanks
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to rishisemwal

‎06-19-2022 01:41 PM

I can't see the screenshot you tried to embed in the message (I think?).

I'm getting confused - you're able to delete the old crypto keys, yes?

But when you try adding a new crypto key then you get an error?

 

In my experience the error when adding crypto keys tends to be a network communication error - during this process, ISE tries to reach the remote host to exchange public keys - and if TCP/22 is being blocked (or the remote end fails to establish a response to ISE) then the crypto command will fail.  You can try enabling the debug below, before you issue the the crypto add command

debug transfer 7
0 Helpful

Go to solution
rishisemwal
Level 1
Level 1
In response to Arne Bier

‎06-20-2022 06:17 AM

Hello,

Please see result below,


[cid:dd3cf8fb-9d99-4ee3-8b8f-c217e5d6071c]
UNMISS-BEN-ISE/admin# crypto host_key add host 10.155.22.9
host key fingerprint added
Operating in CiscoSSL FIPS mode

UNMISS-BEN-ISE/admin# sh repository sftp
3 [9587]:[error] transfer: cars_xfer.c[204] [admin]: couldn't get repository sftp
% Error: Repository sftp could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).
% Repository not found
UNMISS-BEN-ISE/admin# debug transfer 7
UNMISS-BEN-ISE/admin#

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to rishisemwal

‎06-20-2022 01:29 PM

Hello @rishisemwal 

 

You must enable the debug BEFORE you issue the "show repo" command - this debug command attempts to show you what ISE is doing during the network communications to the repo.

 

And have you also tried re-setting the password for the repo's user account?  I sometimes validate the user credentials using a tool like WinSCP to ensure that I have the correct password. And then I re-enter the same password for this repo config in the ISE GUI. 

0 Helpful

Go to solution
rishisemwal
Level 1
Level 1
In response to Arne Bier

‎06-21-2022 12:24 AM

Good morning Arne,

1# I have changed the password and tried to configure host key but same issue.

UNMISS-BEN-ISE/admin# crypto host_key add host 10.155.22.9
host key fingerprint added
Operating in CiscoSSL FIPS mode

UNMISS-BEN-ISE/admin# debug transfer 7
UNMISS-BEN-ISE/admin# sh repository sftp
% Error: Repository sftp could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).
3 [18261]:[error] transfer: cars_xfer.c[204] [admin]: couldn't get repository sftp
% Repository not found
UNMISS-BEN-ISE/admin#


2# Getting following error when I tried to validate SFTP.
[cid:71f31336-ede9-401b-a798-03ebcab5ca02]


Thanks
Rishi
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to rishisemwal

‎06-22-2022 02:37 PM

Are you able to SSH from that ISE node to the SFTP IP address?

0 Helpful
Customers Also Viewed These Support Documents