cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6300
Views
5
Helpful
4
Replies

Prime Infrastructure 3.0 and SFTP repository

rriveraa
Cisco Employee
Cisco Employee

Hello everybody:

I am trying to set a backup on PI 3.0 using SFTP repository, however I am getting the following error when checking the repository:

cpi02-to3-corp/admin# show repository SFTP
6 [6637]: transfer: cars_xfer.c[201] [admin]: sftp dir of repository SFTP requested
6 [6637]: transfer: cars_xfer_util.c[2089] [admin]: resolved server to 10.1.31.121
3 [6637]: transfer: cars_xfer_util.c[2105] [admin]: libssh2 session startup failed
% SSH session setup error

The repository configuration is the following:

repository SFTP
  url  sftp://10.1.31.121/cpi-backups//
  user cpisftp password hash 3c6189f3c5eef5e3d657adb2c28886c887a714ea
repository defaultRepo
  url disk:/defaultRepo

I login to the SFTP server manually and the password is less than 17 characters with no special characters:

ade # sftp -c aes256-cbc cpisftp@10.1.31.121:cpi-backups<mailto:cpisftp@10.1.31.121:cpi-backups>
cpisftp@10.1.31.121's<mailto:cpisftp@10.1.31.121's> password:
Connected to 10.1.31.121.
Changing to: /cpi-backups

I found the following in the SFTP server logs:

Sep 23 08:34:11 ossftp1-to5-corp sshd[11890]: fatal: no matching cipher found: client blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc

I have been looking for the Prime documentation but there is not information about the Ciphers that Prime needs to be configured. 

I am suspecting PI needs specific ciphers in order to communicate with SFTP server. Has anybody seen this behaivor? Is it a bug? Please let me know if you have any recommendation or suggestion.

Thank you.

Rose

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

@Afroz

In this case, the PI server is the ssh client. I Believe we also had this issue when connecting PI to ISE due to cipher mismatch. I thought it was fixed in PI 3.0 but it may have been 3.1.

rriveraa  ,

You could try lowering the accepted cipher strength server-side or possibly bring your PI up to the latest version (3.1.3 as of right now).

View solution in original post

4 Replies 4

AFROJ AHMAD
Cisco Employee
Cisco Employee

Hi Rose,

yes , it is a BUG.

CSCun41202 Weak CBC mode and weak ciphers should be disabled in SSH server
workaround::
Reconfigure any SSH clients not to use weak ciphers like 3des-cbc or blowfish-cbc.
DCNM uses SSH to manage Cisco devices and must be upgraded to at least Cisco NX-OS 7.2(1) to work with devices with this fix.
Thanks-
Afroz
***Ratings Encourages Contributors ****
Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

thanks for including the Bug, I appreciate.

Marvin Rhoads
Hall of Fame
Hall of Fame

@Afroz

In this case, the PI server is the ssh client. I Believe we also had this issue when connecting PI to ISE due to cipher mismatch. I thought it was fixed in PI 3.0 but it may have been 3.1.

rriveraa  ,

You could try lowering the accepted cipher strength server-side or possibly bring your PI up to the latest version (3.1.3 as of right now).

rriveraa
Cisco Employee
Cisco Employee

Thank you so much for your answer,  I am using PI version 3.0, I wil try with 3.1.3.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: