cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
643
Views
3
Helpful
20
Replies

Backup tp SCP Undefined Error

hs08
Spotlight
Spotlight

Hello,

From many of my cisco switch & router, there are 2 devices have below error while backup to the SCP. Anyone know why?

hs08_1-1728453811402.png

 

 

20 Replies 20

marce1000
VIP
VIP

 

   - Check if these devices can reach the intended SCP server, (try to ping it from those 2 devices) , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

yes can reach, i can copy to same server using TFTP. I believe there is encryption mismatch between the device and the SCP application.

Got this message in the log

No matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

Ok @hs08 

You can check what ciphers your device supports with #sh ip ssh command.

 If your device supports modern ciphers (such as CTR or GCM), you can configure it to use those instead of the older CBC ciphers. Use the following command to change the SSH cipher list:

 

 
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
 
 
This will configure the device to use CTR mode ciphers, which should match the SCP server’s supported ciphers.

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Here the chippers in the devices

SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDB7XGGx+SgHJDQLug6wn5UUci1a4wpj7F9Bp5iRsnJ
wmx+ov8wa7nM4AIIwbdSMOWm6qE6pYonDVF5ed8lBvT7RCaQjR53airgMFXF90k9g/ml92/s8uPYxZII
PtFb+PZFBTfhNlhjCAcEC5Tt4jWAAhi1F00nQ51y3IvJA7Aap

also no ip ssh server command in the device.

 

 

Ok @hs08 

Your Cisco device is attempting to use older, less secure CBC ciphers (e.g., aes128-cbc, 3des-cbc), while the SCP server only supports more modern ciphers like CTR (aes128-ctr, aes256-ctr) and GCM (aes128-gcm@openssh.com, aes256-gcm@openssh.com).

What is the platform model ? the IOS version ? Thanks.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

the devices is WS-C3750E-48TD with OS version 15.0(2)SE4

Thanks @hs08 

Older Cisco devices and software versions (like 15.0(2)SE4) often only support legacy cryptographic algorithms, which can lead to compatibility issues with newer SCP servers that have deprecated CBC ciphers due to known vulnerabilities (such as the CBC mode padding oracle attacks).

For instance, upgrading to 15.2(x) or a later version may resolve the issue, as newer versions have updated SSH and SCP implementations with support for stronger encryption...

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Will try to request downtime for upgrade the IOS. Thanks

M02@rt37
VIP
VIP

Hello @hs08 

Config SSH source IP @:

On EXT-CORE add under config-t ip ssh source-interface X command.

Also double-check the file permissions on the destination directory where you're attempting to write the file. Make sure the user has write permissions for the target directory...

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Still get same error even after adding that command. If i switch using TFTP the backup is successful.


Router# debug ip scp

 

this issue I think of auth run debug ip scp let us check 

MHM 

The debug say

No matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

It answer your Q then

The server use gcm and your SW not support these cipher' try add more cipher in server.

MHM

unfortunately in the SCP application we not able to add or change the chiper.

Review Cisco Networking for a $25 gift card