Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
8163
Views
20
Helpful
9
Replies

ISE with Windows SFTP Repository

Go to solution
colossus1611
Level 1
Level 1

‎08-14-2020 03:08 PM - edited ‎08-14-2020 07:24 PM

Hi Team,

 

I am trying to upgrade ISE from v2.4 to 2.7 currenlty and am stuck at an annoying part where I am unable to get upgrade bundle copied over from a Windows Server based SFTP repository to ISE local disk. 

 

The port 22 communication is open and verified. The Host key add is successful when tried with the 'crypto host_key add host' command. But for some reason the repository doesn't get listed when I try 'show repository'. The error message that follows doesn't have much details to help with and I am not sure what is going wrong with it. Below is the error message I get:

 

% Error: Repository UpgradeJumpbox could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).

 

When I then tried adding same repository via GUI, it gave me an error when I had C: in my path for C drive (/C:/FolderA/FolderB) which then made me question if it actually doesn't like Windows based SFTP server for any reason.

 

Any pointers by anyone on what can I do to get over the line with this and get started with my upgrade?

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
colossus1611
Level 1
Level 1
In response to balaji.bandi

‎08-16-2020 06:06 PM

Thank you all for your inputs. I have moved it to a different server, and successfully transferred using FTP now.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-14-2020 03:22 PM

Hope below thread help you :

 

https://community.cisco.com/t5/network-access-control/sftp-transfer-from-linux-to-ise-repository/m-p/3534737

 

make sure there no windows FW enabled, do you have any other blocker between SFTP and ISE ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
colossus1611
Level 1
Level 1
In response to balaji.bandi

‎08-14-2020 03:56 PM

There are no firewalls between ISE and Windows SFTP server. Port 22 is open and tested from ISE. 

 

If my upgrade bundle is under C:\temp\Cisco folder, what should my URL look like under the repository?

 

I have it as url sftp://IP address/C:/temp/Cisco

 

From that thread you shared, I am not sure if the bug listed in one of the replies is also impacting me by any chance:

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCum13116

 

My ISE nodes are currently on 2.4(0.357) which is shown as one of the Known affected releases under above bug advisory.

 

 

 

0 Helpful

Go to solution
colossus1611
Level 1
Level 1
In response to colossus1611

‎08-14-2020 04:07 PM - edited ‎08-14-2020 07:22 PM

Also, when I look at my SFTP server keys, it shows different value to what it does when I add the host key using 'crypto host_key add host' command under ISE CLI. I tried deleting this key and readd it but the same key shows up again as found added.

 

From ISE CLI:

host key fingerprint added
# Host 192.168.1.1 found: line 2
192.168.1.1 RSA SHA256:1Qci3ZCNyR75QhGDVXZeRGT+m/Kk1S5HC5tTd1hs5uU

 

Below is screenshot from SFTP server on Windows

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-14-2020 04:15 PM

When you reference a repository, be it windows or linux, you do not reference the drive in the path. The drive is handled by the FTP server, the path is relative to where you would be placed when you log in yourself via a ftp client, usually the "home" directory of the user. You can manipulate this quite a bit within FTP server config.

You can pcap the SFTP connection attempt from the GUI troubleshooting tools page. From the PAN, select the node you are attempting to connection from, enter "ip host x.x.x.x" where the x's are the SFTP server IP. You should be able to see a more specific failure message in the connection set up packets. It's possible that there is no cipher shared between the two assuming they are able to reach each other since the key add worked.

Go to solution
colossus1611
Level 1
Level 1
In response to Damien Miller

‎08-14-2020 06:03 PM

Hi Damien,

Yes I have restricted user access to FTP/SFTP server so can't make changes to whatever it is right now. It's root directory is set tp C:/folderA/folderB.

I will try and capture logs from ISE GUI to see if that leads us into any direction.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to colossus1611

‎08-14-2020 09:57 PM

If when you log in you automatically placed in the path of c:\folderA\folderB, then within ise you can specific just "/" for the path, and ISE will reference the root of the allowed folder.

If you wanted to go to c:\folderA\folderB\folderC, and the home/root is folderB, then in ISE you would enter only /folderC/ for the path.

This is assuming you make it through your connection.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to colossus1611

‎08-15-2020 12:46 AM

what SFTP Server you are using, some of SFTP Server required permission to add IP address of ISE IP address to allow.

 

so please check that setting also to rule out.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
colossus1611
Level 1
Level 1
In response to balaji.bandi

‎08-16-2020 06:06 PM

Thank you all for your inputs. I have moved it to a different server, and successfully transferred using FTP now.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to colossus1611

‎08-16-2020 11:57 PM

Glad all working at end, sometimes we need to look both the side issue.

 

so we mark as resolved.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Top