Solved: ISE nodes unable to see SFTP repository - Page 2

paynewj · ‎12-16-2021

Our ISE deployment consists of (4) nodes - (2) PANs and (2) PSNs - and only 1/4 can access the repository where the Log4J patch file is currently located.

I’ve recreated the repository via the ISE Admin console and the config deployed to all (4) of the nodes, but the only one that's able to connect and see the contents of the repository is our primary PAN. The secondary PAN can't connect, nor can the (2) PSNs in our deployment.

I validated the repository in the GUI after it was created.

As mentioned, I was able to see the contents of the repo using the show repository command on our primary PAN, but received the following error when running the same command on all other nodes:

show repository ISE_Repo
% Error : Operation failed due to one of the following reasons
1. host key is not configured
2. host key is removed because of re-image
3. host key is removed from some other repository having same ip/hostname
% Please add the host key using the crypto host_key exec command
% Error: Repository ISE_Repo could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).

I've tried manually removing and then re-adding the repository and running the crypto host_key add host <host IP> command, but get the same result.

Any help would be greatly appreciated.

Arne Bier · ‎06-19-2022

Don’t manage your repository configs via CLI. Make changes in the Admin UI because that will propagate the changes to all nodes in the deployment. The only thing you need to do on the CLI is to ensure that the crypto key is configured on every node on which you need to access that repo.

rishisemwal · ‎06-19-2022

Thanks for your response, I'm using CLI to add crypto key host only but response is showing as below, not showing[cid:024309ce-f287-4f05-a546-3f823932f22e] encrypted message.

# BEN-ISE/admin# crypto host_key add host 10.155.23.123
host key fingerprint added
Operating in CiscoSSL FIPS mode

#. I used following command to remove old key and reconfigure.

1. ssh delete host X.X.X.X

2. crypto host_key delete host X.X.X.X

Thanks

Arne Bier · ‎06-19-2022

I can't see the screenshot you tried to embed in the message (I think?).

I'm getting confused - you're able to delete the old crypto keys, yes?

But when you try adding a new crypto key then you get an error?

In my experience the error when adding crypto keys tends to be a network communication error - during this process, ISE tries to reach the remote host to exchange public keys - and if TCP/22 is being blocked (or the remote end fails to establish a response to ISE) then the crypto command will fail. You can try enabling the debug below, before you issue the the crypto add command

debug transfer 7

rishisemwal · ‎06-20-2022

Hello,

Please see result below,

[cid:dd3cf8fb-9d99-4ee3-8b8f-c217e5d6071c]
UNMISS-BEN-ISE/admin# crypto host_key add host 10.155.22.9
host key fingerprint added
Operating in CiscoSSL FIPS mode

UNMISS-BEN-ISE/admin# sh repository sftp
3 [9587]:[error] transfer: cars_xfer.c[204] [admin]: couldn't get repository sftp
% Error: Repository sftp could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).
% Repository not found
UNMISS-BEN-ISE/admin# debug transfer 7
UNMISS-BEN-ISE/admin#

Arne Bier · ‎06-20-2022

Hello @rishisemwal

You must enable the debug BEFORE you issue the "show repo" command - this debug command attempts to show you what ISE is doing during the network communications to the repo.

And have you also tried re-setting the password for the repo's user account? I sometimes validate the user credentials using a tool like WinSCP to ensure that I have the correct password. And then I re-enter the same password for this repo config in the ISE GUI.

rishisemwal · ‎06-21-2022

Good morning Arne,

1# I have changed the password and tried to configure host key but same issue.

UNMISS-BEN-ISE/admin# crypto host_key add host 10.155.22.9
host key fingerprint added
Operating in CiscoSSL FIPS mode

UNMISS-BEN-ISE/admin# debug transfer 7
UNMISS-BEN-ISE/admin# sh repository sftp
% Error: Repository sftp could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).
3 [18261]:[error] transfer: cars_xfer.c[204] [admin]: couldn't get repository sftp
% Repository not found
UNMISS-BEN-ISE/admin#

2# Getting following error when I tried to validate SFTP.
[cid:71f31336-ede9-401b-a798-03ebcab5ca02]

Thanks
Rishi

Arne Bier · ‎06-22-2022

Are you able to SSH from that ISE node to the SFTP IP address?