Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6703
Views
5
Helpful
4
Replies

Prime Infrastructure 3.0 and SFTP repository

Go to solution
rriveraa
Cisco Employee
Cisco Employee

‎10-05-2016 04:34 PM

Hello everybody:

I am trying to set a backup on PI 3.0 using SFTP repository, however I am getting the following error when checking the repository:

cpi02-to3-corp/admin# show repository SFTP
6 [6637]: transfer: cars_xfer.c[201] [admin]: sftp dir of repository SFTP requested
6 [6637]: transfer: cars_xfer_util.c[2089] [admin]: resolved server to 10.1.31.121
3 [6637]: transfer: cars_xfer_util.c[2105] [admin]: libssh2 session startup failed
% SSH session setup error

The repository configuration is the following:

repository SFTP
  url  sftp://10.1.31.121/cpi-backups//
  user cpisftp password hash 3c6189f3c5eef5e3d657adb2c28886c887a714ea
repository defaultRepo
  url disk:/defaultRepo

I login to the SFTP server manually and the password is less than 17 characters with no special characters:

ade # sftp -c aes256-cbc cpisftp@10.1.31.121:cpi-backups<mailto:cpisftp@10.1.31.121:cpi-backups>
cpisftp@10.1.31.121's<mailto:cpisftp@10.1.31.121's> password:
Connected to 10.1.31.121.
Changing to: /cpi-backups

I found the following in the SFTP server logs:

Sep 23 08:34:11 ossftp1-to5-corp sshd[11890]: fatal: no matching cipher found: client blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc

I have been looking for the Prime documentation but there is not information about the Ciphers that Prime needs to be configured. 

I am suspecting PI needs specific ciphers in order to communicate with SFTP server. Has anybody seen this behaivor? Is it a bug? Please let me know if you have any recommendation or suggestion.

Thank you.

Rose

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-06-2016 06:05 AM

@Afroz

In this case, the PI server is the ssh client. I Believe we also had this issue when connecting PI to ISE due to cipher mismatch. I thought it was fixed in PI 3.0 but it may have been 3.1.

rriveraa  ,

You could try lowering the accepted cipher strength server-side or possibly bring your PI up to the latest version (3.1.3 as of right now).

View solution in original post

0 Helpful
4 Replies 4

Go to solution
AFROJ AHMAD
Cisco Employee
Cisco Employee

‎10-05-2016 07:24 PM

Hi Rose,

yes , it is a BUG.

CSCun41202 Weak CBC mode and weak ciphers should be disabled in SSH server
workaround::
Reconfigure any SSH clients not to use weak ciphers like 3des-cbc or blowfish-cbc.
DCNM uses SSH to manage Cisco devices and must be upgraded to at least Cisco NX-OS 7.2(1) to work with devices with this fix.
Thanks-
Afroz
***Ratings Encourages Contributors ****
Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

Go to solution
rriveraa
Cisco Employee
Cisco Employee
In response to AFROJ AHMAD

‎10-06-2016 09:31 AM

thanks for including the Bug, I appreciate.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-06-2016 06:05 AM

@Afroz

In this case, the PI server is the ssh client. I Believe we also had this issue when connecting PI to ISE due to cipher mismatch. I thought it was fixed in PI 3.0 but it may have been 3.1.

rriveraa  ,

You could try lowering the accepted cipher strength server-side or possibly bring your PI up to the latest version (3.1.3 as of right now).

0 Helpful

Go to solution
rriveraa
Cisco Employee
Cisco Employee

‎10-06-2016 09:28 AM

Thank you so much for your answer,  I am using PI version 3.0, I wil try with 3.1.3.

0 Helpful
Customers Also Viewed These Support Documents