Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
2
Helpful
4
Replies

Unable to add Crypto host_key add host - Host not found in /root/.ssh

Go to solution
MaErre21325
Level 1
Level 1

‎10-15-2025 01:22 AM - edited ‎10-15-2025 01:27 AM

Hello,

i have configured a Sftp server as repository but i'm unable to add the Crypto host_key add host <server ip/fqdn> on the secondary PAN and MON and PSN.
The cluster is made of

  • Primary PAN
  • Secondary PAN
  • Primary MON
  • Secondary MON
  • Psn1
  • Psn2

on the primary nodes and psn1 the command works but if issueing it on the other nodes the following errors are shown (i'm using the fqdn instead of ip adress), the same output is from secondary mon and psn2:

ise-admin-sec/admin#crypto host_key add host serverrepo.company.com
Host serverrepo.company.com not found in /root/.ssh/known_hosts
Host serverrepo.company.com not found in /home/admin/.ssh/known_hosts

from the nodes i'm able to ping the server 

admin connected from 10.10.2.2 using ssh on ise-admin-sec
ise-admin-sec/admin#ping serverrepo.company.com
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=61 time=66.2 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=61 time=66.3 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=61 time=66.2 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=61 time=66.2 ms

I read that the crypto host_key must be given on all the nodes
What is the cause and how can i fix it?
Ise version is 3.4 patch 3

Thank you
Regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-16-2025 03:03 PM

Is there a firewall rule perhaps blocking TCP/22 between those ISE nodes and the SFTP server, or other way around, does the SFTP have any ACLs that needs to allow the failing ISE nodes' IP addresses?

If there are no firewall impediments, then run a tcpdump on one of the failing nodes and observe the TCP connection attempts when you perform a crypto key add.   If you don't get the SYN ACK from the SFTP server then you know what the issue is.

You should also see DNS resolution in the tcp dump.

On the CLI you can get some debugs for this command

debug all 7

example of working scenario:

rnolabise35a/admin#crypto host_key add host 172.22.128.120
Fri Oct 17 08:02:57 2025 [INFO] add_host_key.py add_host_key line:126 Adding crypto host key. User: admin. Host: 172.22.128.120
Fri Oct 17 08:02:57 2025 [INFO] add_host_key.py addTrustedHostKey line:116 host key fingerprint added successfully.
Fri Oct 17 08:02:58 2025 [INFO] add_host_key.py add_host_key line:134 Host key 172.22.128.120 added
Fri Oct 17 08:02:58 2025 [INFO] syslog_wrapper.py writeSyslog line:44 Writing to Syslog.
Fri Oct 17 08:02:58 2025 [INFO] syslog_wrapper.py writeSyslog line:52 Current user: admin
Fri Oct 17 08:02:58 2025 [INFO] syslog_wrapper.py writeSyslog line:53 Current user IP: 172.22.131.186
host key fingerprint added
# Host 172.22.128.120 found: line 1 
172.22.128.120 RSA SHA256:hReaq******kx7k

 

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-15-2025 01:58 AM - edited ‎10-15-2025 01:58 AM

try editing and checking or try manual add.

vim ~/.ssh/known_hosts

not sure you cable to access that folders, if not then contact TAC.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Arne Bier
VIP
VIP

‎10-16-2025 03:03 PM

Is there a firewall rule perhaps blocking TCP/22 between those ISE nodes and the SFTP server, or other way around, does the SFTP have any ACLs that needs to allow the failing ISE nodes' IP addresses?

If there are no firewall impediments, then run a tcpdump on one of the failing nodes and observe the TCP connection attempts when you perform a crypto key add.   If you don't get the SYN ACK from the SFTP server then you know what the issue is.

You should also see DNS resolution in the tcp dump.

On the CLI you can get some debugs for this command

debug all 7

example of working scenario:

rnolabise35a/admin#crypto host_key add host 172.22.128.120
Fri Oct 17 08:02:57 2025 [INFO] add_host_key.py add_host_key line:126 Adding crypto host key. User: admin. Host: 172.22.128.120
Fri Oct 17 08:02:57 2025 [INFO] add_host_key.py addTrustedHostKey line:116 host key fingerprint added successfully.
Fri Oct 17 08:02:58 2025 [INFO] add_host_key.py add_host_key line:134 Host key 172.22.128.120 added
Fri Oct 17 08:02:58 2025 [INFO] syslog_wrapper.py writeSyslog line:44 Writing to Syslog.
Fri Oct 17 08:02:58 2025 [INFO] syslog_wrapper.py writeSyslog line:52 Current user: admin
Fri Oct 17 08:02:58 2025 [INFO] syslog_wrapper.py writeSyslog line:53 Current user IP: 172.22.131.186
host key fingerprint added
# Host 172.22.128.120 found: line 1 
172.22.128.120 RSA SHA256:hReaq******kx7k

 

Go to solution
MaErre21325
Level 1
Level 1
In response to Arne Bier

‎10-20-2025 05:58 AM

You were right, there was a fw policy missing and also a misconfiguration of the server ip on the fw.

also used this commands:

    • debug copy 7
    • debug transfer 7

after setting up the fw correctly i was able to add the host_key.

thank you very much

0 Helpful

Go to solution
levilalors
Community Member

‎11-25-2025 03:43 AM

The secondary nodes have no SSH host key yet.

Just SSH once from each failing node: ssh → accept the prompt → exit.

Then run crypto host_key add host serverrepo.company.com again and it works.

ISE doesn’t sync known_hosts, so you have to do it manually on every node. Takes 20 seconds each. Done!

cryptowhatsup

0 Helpful
Customers Also Viewed These Support Documents