Solved: Issues using Nexus9k as repository for ISE server

RDrew · ‎12-07-2021

I am having an issue with using my Nexus 9k as a Repository for my ISE server.
I verify that the "feature sftp-server" is on the nexus

I then go over to my ISE server and thru the CLI, & create the Repository

ise-001p/admin(config)# repository AS-05
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.
ise-001p/admin(config-Repository)# url sftp://10.10.10.28/
% Warning: Repositories configured from CLI cannot be used from the ISE web UI and are not replicated to other ISE nodes. If this repository is not created in the ISE web UI, it will be deleted when ISE services restart.
ise-001p/admin(config-Repository)# user <name> password plain <password>
ise-001p/admin(config-Repository)# exit
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.
ise-001p/admin(config)# exit

ise-001p/admin# crypto host_key add host 10.10.10.28
host key fingerprint added
Operating in CiscoSSL FIPS mode

ise-001p/admin# show repository AS-05
% Error: Repository AS-05 could not be accessed. In case Backup was Restored on different setup, Please reconfigure the repository passwords (expected behaviour).
% SSH connect error

I for the life of me cannot determine what I have missed but obviously I have missed something. Any help would be appreciated.

RDrew · ‎12-13-2021

We found a fix

We could not get the Nexus to act as our ISE repository for SFTP.

So we just created a folder on our Fileshare and gave ISE the necessary permissions to be able to read and write to that folder.

View solution in original post

balaji.bandi · ‎12-07-2021

what is the use case here ? ISE is heavy - what are you trying to save on nexus Device ( make sure you know the Limitation before using nexus as SFTP Server)

on ISE i would do crypto first then configure repository :

here is the configuration and limitation of SFTP Server on nexus 9K

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_0111.html#...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

RDrew · ‎12-10-2021

Hello,

Sorry for the delay in my reply. Yes I understand that ISE is heavy. and we would only use the Nexus for a backup repository and to get the new device image transferred to it. Because we do not currently have a SFTP server that we can use as restrictions on my network detail.

Currently our Nexus has 112GB of memory space available I do not see there would be an issue if we use it just for backups and when we need to get the new image of ISE to the device.

And I have done the crypto command first and still get the same message.

thomas · ‎12-09-2021

Have you ever successfully used this Nexus as an SFTP server for other things?

Or is ISE the first client to test it with?

But I agree with @balaji.bandi and not sure why Nexus is your go-to SFTP server.

RDrew · ‎12-10-2021

We have not used the Nexus device as an SFTP server before, I was advised to try it by my Net Lead, ISE would be our first client to test. Normally we use SCP to get the device images over to our network devices but for some reason ISE doesn't support SCP and we were in a pinch to get ISE OS upgraded, as we were being flagged for a vulnerability with the current OS we are on.

thomas · ‎12-13-2021

I recommend testing with another SFTP client to ensure it works before assuming that ISE does not.

RDrew · ‎12-13-2021

We found a fix

We could not get the Nexus to act as our ISE repository for SFTP.

So we just created a folder on our Fileshare and gave ISE the necessary permissions to be able to read and write to that folder.