Backup tp SCP Undefined Error

hs08 · ‎10-08-2024

Hello,

From many of my cisco switch & router, there are 2 devices have below error while backup to the SCP. Anyone know why?

marce1000 · ‎10-08-2024

- Check if these devices can reach the intended SCP server, (try to ping it from those 2 devices) ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

hs08 · ‎10-09-2024

yes can reach, i can copy to same server using TFTP. I believe there is encryption mismatch between the device and the SCP application.

Got this message in the log

No matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

M02@rt37 · ‎10-09-2024

Ok @hs08

You can check what ciphers your device supports with #sh ip ssh command.

If your device supports modern ciphers (such as CTR or GCM), you can configure it to use those instead of the older CBC ciphers. Use the following command to change the SSH cipher list:

ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr

This will configure the device to use CTR mode ciphers, which should match the SCP server’s supported ciphers.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hs08 · ‎10-09-2024

Here the chippers in the devices

SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDB7XGGx+SgHJDQLug6wn5UUci1a4wpj7F9Bp5iRsnJ
wmx+ov8wa7nM4AIIwbdSMOWm6qE6pYonDVF5ed8lBvT7RCaQjR53airgMFXF90k9g/ml92/s8uPYxZII
PtFb+PZFBTfhNlhjCAcEC5Tt4jWAAhi1F00nQ51y3IvJA7Aap

also no ip ssh server command in the device.

M02@rt37 · ‎10-09-2024

Ok @hs08

Your Cisco device is attempting to use older, less secure CBC ciphers (e.g., aes128-cbc, 3des-cbc), while the SCP server only supports more modern ciphers like CTR (aes128-ctr, aes256-ctr) and GCM (aes128-gcm@openssh.com, aes256-gcm@openssh.com).

What is the platform model ? the IOS version ? Thanks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hs08 · ‎10-09-2024

the devices is WS-C3750E-48TD with OS version 15.0(2)SE4

M02@rt37 · ‎10-10-2024

Thanks @hs08

Older Cisco devices and software versions (like 15.0(2)SE4) often only support legacy cryptographic algorithms, which can lead to compatibility issues with newer SCP servers that have deprecated CBC ciphers due to known vulnerabilities (such as the CBC mode padding oracle attacks).

For instance, upgrading to 15.2(x) or a later version may resolve the issue, as newer versions have updated SSH and SCP implementations with support for stronger encryption...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hs08 · ‎10-10-2024

Will try to request downtime for upgrade the IOS. Thanks

M02@rt37 · ‎10-09-2024

Hello @hs08

Config SSH source IP @:

On EXT-CORE add under config-t ip ssh source-interface X command.

Also double-check the file permissions on the destination directory where you're attempting to write the file. Make sure the user has write permissions for the target directory...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hs08 · ‎10-09-2024

Still get same error even after adding that command. If i switch using TFTP the backup is successful.

MHM Cisco World · ‎10-09-2024


Router# debug ip scp

this issue I think of auth run debug ip scp let us check

MHM

hs08 · ‎10-09-2024

The debug say

No matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

MHM Cisco World · ‎10-09-2024

It answer your Q then

The server use gcm and your SW not support these cipher' try add more cipher in server.

MHM

hs08 · ‎10-09-2024

unfortunately in the SCP application we not able to add or change the chiper.